#AskACISO Interview with Paul Rivers, CISO at Yale University

Could you tell us something about yourself?

I have been involved in IT and information security for 25 years. I have been in financial services, higher education and security consulting.

Have you, or would you ever consider, hiring an individual who has been known to be a hacker? If no, why, and if yes what would the benefits to your organization be?

Yes, I would certainly consider it. I suppose I would need to know exactly what is meant by “hacker”, which is a term that people seem to take to mean whatever they want.

People who like to understand how things work and know how to break them are invaluable to a security team. What I would want to understand about a hacker or anyone else is whether they can exercise good judgment about risk, and fully understand and will abide by the rules of engagement within the organization. Technical superstars are like raw energy, they can be channeled to useful or destructive purposes when building a team and running a program. So, superstar technical chops are but one part of the overall equation.

What are the biggest challenges that come with working as a CISO in the public sector? Is lack of budget an issue?

I can’t speak to the public sector, but I can speak to the challenges of working at top-tier research and teaching institutions.  The challenges are largely cultural. Top research and teaching institutions operate in many respects as if they are a large federation of small, independent start-ups and entrepreneurship. When I have worked in the financial services sector, by contrast, there is a single mission for the entire organization. It is easier to fit a security program to a single mission. In research institutions, the missions are diverse and often unrelated. It also means communication by necessity must be emphasized even more than it is otherwise, as there are orders of magnitude more stakeholders across these largely independent units. And yet, the overall organization is still one legal entity, and so carries with it an overall level of inherent risk that goes beyond what a typical startup carries. The culture of openness and sharing, which is fundamental and vital to a university and must be maintained, adds yet another difficulty, as you can learn a great deal about the internals of a university simply by reading its websites. Social engineering is thus an even more difficult vector to address. The diversity of technology, again a necessary part of top-tier universities, adds additional challenges.

Budget is always a challenge, but that’s as true in a university as it is almost anywhere. To sum up the above, there are necessary and inherent characteristics about top-tier universities that will always make adequate information security more challenging than most other industries.

What do you consider your main tasks and responsibilities in your role?

Identify and credibly stack rank risk across the organization, ensure this information is presented to and understood by the right levels within the organization to make decisions on risk treatment, and then ensure those decisions are carried out. Beyond this, I must bridge the gap in understanding between technical staff and the rest of the organization, so that everyone is properly engaged in managing cybersecurity risk.

How should modern CISO’s prepare for the inevitable breach?

Practice. Do not just practice with the technical team, make the case for full practice and participation by the CEO, Legal, Public Relations, and all the other usual suspects on the leadership team. You do not want to be in the position of figuring out roles and responsibilities during a live event. Ensure legal and PR has vetted the plan. Have a retainer agreement for incident response for supplementation of internal labor and appropriate management of apparent conflicts of interest. Finally, talk to other CISOs who have been through public breaches.

What are the key questions a security professional needs to ask internally?

The answer to this question depends on what kind of security professional we are talking about. What seems to be common across intrusion analyst, pen tester, security operations manager, security director and CISO would be are we credible in how we identify, assess and prioritize risk? Are we resorting to chicken-little tactics, which might have some effect in the very short term, but ultimately undermines and hobbles a security program in the longer term?

How can you balance innovation and security when you must move quickly?

“Security is everyone’s job” can be a vacuous bumper sticker slogan, or it can be a real way in which roles outside of security and outside of IT are assigned real responsibilities for addressing cyber risk. When the entire organization understands their very concrete role in managing cyber risk and has the support to carry it out, security has scaled from a single team to the organization. This does not solve the problem referenced in this question, but it is a huge step in the right direction.

There was a hot topic in the Netherlands. “Email spoofing against Dutch Parliament could lead to serious spear phishing attacks”. What are your thoughts on these attacking vectors? (Email Spoofing) / (Spear Phishing)

What often gets discussed here: there are technical measures (SPF/DKIM/DMARC) that can help. There is training and awareness which supposedly helps. Neither is full-proof.

What seems to be discussed less often is cultural issues. Organizations often have terrible mass communication practices or they have internal processes which have never been looked at through the lens of a threat modeler. Email has inherent “watermark of authenticity” issues, but addressing these process and cultural weaknesses often get overlooked.

Yale University has so many websites. How do you guys keep them all secure against (criminal) hackers?

To say something that to those outside information security will seem surprising and even provocative: they are not all secure.

As mentioned above, higher education is more open than perhaps any other sector, and this is a feature of higher education that should not change. This does mean more risk. So, it is even more important in higher education to be able to triage all assets, including websites, into risk tiers so that the most stringent controls and the most resources can be devoted towards securing and testing the highest risk assets.

Is there any chance that Yale University will launch a bug bounty program at HackerOne/Bugcrowd in the future? If yes, could you give us more details about this?

I am new to Yale, so I do not know how this might play out. In principle, I am fully in favor and support the idea of bug bounty

After that Paul replied to us that he supports bug bounty programs. I asked him if he wants to talk with his management about running a potential program at HackerOne.

“Yes, I will put a bug bounty program such as HackerOne on my issues list to review. Some patience will be required, as again I am new to Yale and am in the process of triage for all issues related to Yale’s cybersecurity program. I’ll say again I am philosophically in favor of such approaches.”

Author: Huy Kha @huykha10

About Yale University:

Yale University is a private institution that was founded in 1701. It has a total undergraduate enrollment of 5,472, its setting is city, and the campus size is 345 acres. It utilizes a semester-based academic calendar. Yale University’s ranking in the 2018 edition of Best Colleges is National Universities, 3. Its tuition and fees are $51,400 (2017-18).

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CISO, Yale University)

[adrotate banner=”5″]

[adrotate banner=”13″]