University of Michigan CISO on cybersecurity and innovation in higher education

May 21, 2024

8 Min Read

DON Welch

CISO, University of Michigan

Don Welch is the CISO for the University of Michigan to include the Health System and branch campuses. He came to Michigan from Merit Network, where he was the CEO. Prior to Merit, Don was the Director of Enterprise Technology (CTO) and Merchandising Systems at H-E-B, a $12B retail/distribution/manufacturing company that operates in Texas and Mexico.

Sajid A. Khan

President, MicroAgility

Sajid, the founder of MicroAgility, brings over 30 years of experience in business transformation, with past roles at Deloitte, Merrill Lynch, and JP Morgan. At MicroAgility, he champions a people-first, agile approach to digital transformation, blending technology with human experiences. This vision has led to strong partnerships with businesses of all sizes, including Fortune 500 companies.

Sajid Khan

Don, Thank you very much for taking the time out for this Interview. Can you begin by sharing your perspective on the role of CISO in an educational institution such as University of Michigan?

‍

Don

By design, universities are quite decentralized with an emphasis on innovation and creativity. This freedom and agility is core to the mission of a research university. Freedom and agility is contrary to making security easy. My role is to protect the institution and as much as I can the individuals in the university community.

I have limited authority, so I have to have trusting relationships throughout the University and make progress through influence.

Sajid Khan

What particular challenges you feel exists in your current role at University of Michigan? Are you planning any initiatives keeping in view your past experience?

‍

Don

Research universities are actually very complex. Most people realize that universities have athletics, teaching, research, and patient care. Universities also have facilities, retail operations, power generation, etc. Almost every industry function you can imagine is represented in a research university.

Research universities also have a lot of information that others want and are will to invest significant time and effort to get. Intellectual property, personal health information, credit card information are among the many types of information that universities must protect.

The lessons from my time in the Army really ring true. Information security does not come from buttoning down things as tightly as you can and then making sure nothing gets unbuttoned. Our adversaries are smart and they adapt to what we do. So we have to constantly understand what they are doing and adapt. Security today requires an operational mindset. It is not static.

Sajid Khan

What particular IT Infrastructure and Information Security systems have been adopted by the educational institutions, particularly large universities such as University of Michigan?

‍

Don

I would say the most significant change is the move to the “cloud.” The University of Michigan has a “cloud first” strategy. Culturally, this is a significant change. Many IT staff have been at universities since the earliest days of computing. At that time, they worked on developing the technology that became the commercial standards.

Letting go of that control is difficult. Understanding that in many cases cloud providers can do a better job than we can – even in security – is hard. Understanding how to provide security with cloud providers is new to us. So not only do we have to adapt to leveraging the cloud, but we have to understand how we secure ourselves when much of our information is held by others.

Another change is that higher education is investing more in systems that look deeper to find intrusions. The threats against us include some of the most sophisticated attackers and we are moving to try to meet that theat. A focus on end-users is still important, but understanding what information is the most critical and protecting it with increasingly sophisticated tools is the trend.

Sajid Khan

Can you share some of your future plans for the University of Michigan?

‍

Don

We want to make it easier for our community to do the right thing. Michigan thrives because researchers think up new ways of looking at data and break down barriers between domains. I don’t think we have any school or college that doesn’t have at least some research collaboration with our health system.

Many of those collaborations include ePHI, and so HIPAA compliance impacts researchers across the campus. In some cases faculty are surprised to find out that they have to deal with FISMA, ITAR and other compliance standards. I think providing easier to use tools that faculty need to stay safe while they accomplish the university mission is the key protecting Michigan.

Identifying and creating IT services that are compliant with various standards will help and an important one of those tools. Providing guidelines, guides, consulting and services are necessary for the university to push the envelope while managing the risk.

Sajid Khan

What’s been your impressive achievement in your career so far?

‍

Don

It has probably been outside of information security. In my role at Merit Network I built a team that was able to accomplish some significant projects. We had built a few hundred miles of fiber, but needed infrastructure to serve the rural and remote parts of Michigan. As part of the stimulus program we competed for and won grants to build 2400 miles of fiber.

Not only did we have the challenge of building the fiber, but if you have any experience complying with the layers of sometimes conflicting federal bureaucracy, you can understand the magnitude of accomplishment. Not only did we succeed but were honored as one of the best projects in the country.

During that period we also started the Michigan Cyber Range: a unique training environment for cyber security that gained international recognition. While continuing our day-to-day operations we created two new, unique, and nationally recognized capabilities. Building the team that was able to accomplish that is what I am most proud of.

Sajid Khan

Could you please share your leadership Style? Does your leadership style vary with the role?

‍

Don

Trust is at the core of all leadership. The team has to trust the leader and the leader has to trust his or her team. Within that trusted environment, it is the leader’s role to provide the team with what they need to go further and faster than they thought themselves capable. Training, resources, guidance, support, coaching; whatever they need to succeed.

I think of the leader as an offensive lineman on a football team. They don’t score, they enable the backs and receivers to gain yards and score points. These characteristics don’t vary whether you are an informal team leader or a CEO. The way you apply them varies based on the mission, the individual skills, experience and the maturity of the team.

Sajid Khan

What advice would you offer for other information security / cyber security executives who aspire to follow you?

‍

Don

You are first and foremost an executive and leader in the organization. Your focus happens to be information security. Your role is to help the organization accomplish its mission while tolerating the right amount of risk. You can’t create a zero-risk environment and your organization has to thrive.

Hitting and staying in that sweet spot while dealing with adversaries who are capable and constantly adapting is the challenge. Good executives are invaluable to their organizations and as an information security executive if you are really good – no one will know it.

Sajid Khan

Anything else you would like to share with our readers.

‍

Don

Thanks for the opportunity.

Transform Your Business with Microagility

Let's turn your challenges into opportunities

Privacy policy

MicroAgility respects your concerns about privacy, and it is our endeavor and objective to provide excellent quality service to all our clients. This privacy policy has been formulated to help you understand the nature of the information we collect from you when you visit our website and how this personal information will be treated by us.

Browsing

We have not configured this website to collect any personal information from your computer when you browse this site. Only information that you voluntarily and knowingly provide will be used.

Data collection and consent

When you visit our website, we may collect certain information such as your IP address, browser type, and other technical details to improve your experience. Additionally, you may voluntarily provide personal information such as your name and contact details when interacting with certain features, such as forms or surveys.

We will only collect personal information with your explicit consent. You have the option to control or withdraw this consent at any time, including managing your preferences for cookies and other tracking technologies. Information on managing cookies can be found in our Cookies Policy.

Internet Protocol (IP) address:

Whenever you visit our corporate website, the server used by our web host will make a record of your IP address, the date and time of your visit, the type of internet browser you use, and the URL of any website that referred you to our site.

Web surveys

Our online web surveys enable us to gather specific information regarding issues such as your feedback on the look and feel of our website. Additionally, we may request information on several elements of our customer service. Your feedback is vital, appreciated, and enables us to enhance the quality of customer service we provide. The provision of your name and other details is completely optional.

Links to other websites

Our website may contain links to other sites. MicroAgility is not responsible for the data collection practices, privacy policies, or content of those websites that are accessible via a link from this site.

Disclosure of information

MicroAgility will maintain the privacy and confidentiality of all personal information collected. Such information may only be disclosed when required by law or when, in good faith, we believe that such action is necessary or desirable to comply with the law or protect or defend the rights or property of MicroAgility, this site, or its users.

Information needed to execute the transactions you request

When we do require information from you, we will request you to submit it voluntarily. This information will help us get in touch with you and process your requests where applicable. The information may also be used for marketing or quality assurance purposes.

The information you provide will never be sold to any third party for their own marketing purposes without your express permission in writing, unless it is done on an aggregated basis for statistical purposes and research without any information that can be used to identify you.

Your rights

MicroAgility respects your rights concerning your personal data. You have the right to access, correct, or request the deletion of any personal information we hold about you. Should you wish to exercise these rights or withdraw your consent, please contact us, and we will respond promptly. We are committed to ensuring that your data is handled in a way that complies with relevant privacy regulations, such as the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA), where applicable.

Quality assurance purposes

Contacting us with your questions and comments

Information you provide will be treated as confidential. Online forms request information to help us provide you with enhanced quality of customer care. MicroAgility will use such information to respond to your questions, comments, or requests.

Disclosure to third parties

We will not sell, trade, rent, or release any information to any third party outside MicroAgility, its business divisions, or its subsidiary companies. Disclosure may only be made upon an order from a judicial or regulatory authority.

We reserve the right to change these privacy policy terms and conditions as and when necessary and appropriate. All changes will be updated here, and you will always be informed of what information we gather, how we might use it, and to whom we may disclose it.

Conclusion

Your privacy concerns are important to us. We hope this policy has been helpful in conveying this to you.

Terms of Use

MicroAgility and its affiliates (“MicroAgility” or “we”) provide content on this website (the “Site”) subject to the following terms and conditions (the “Terms”). We may periodically update the Terms, so please check back from time to time. These Terms were last updated on October 7th, 2003. By accessing and using this Site, you agree to these Terms. For an explanation of MicroAgility’s practices and policies related to the collection, use, and storage of our users’ information, please read our Privacy Policy.

Copyrights

All content and functionality on the Site, including text, graphics, logos, icons, and images, as well as the selection and arrangement thereof, is the exclusive property of MicroAgility or its licensors and is protected by U.S. and international copyright laws. All rights not expressly granted are reserved.

Trademarks

The trademarks, service marks, designs, and logos (collectively, the “Trademarks”) displayed on the Site are the registered and unregistered Trademarks of MicroAgility and its licensors. You agree that you will not refer to or attribute any information to MicroAgility or its licensors in any public medium (e.g., press releases, websites) for advertising or promotional purposes, or for the purpose of informing or influencing any third party. You also agree that you will not use or reproduce any Trademark of, or imply any endorsement by or relationship with, MicroAgility or its licensors without prior written consent.

Use of Site Content

MicroAgility hereby grants you a non-exclusive, non-transferable license to access, download, display, and print one copy of the content and functionality displayed on the Site (the “Site Content”) on any single computer solely for your internal business use, provided that you do not modify the Site Content in any way and that you retain all copyright and other proprietary notices displayed on the Site Content. You may not otherwise reproduce, modify, distribute, transmit, post, or disclose the Site Content without MicroAgility’s prior written consent.

User Postings

You acknowledge and agree that MicroAgility shall own and have the unrestricted right to use, publish, and otherwise exploit any and all information that you post or otherwise publish on the Site in postings, survey responses, or otherwise, and you hereby waive any claims against MicroAgility for any alleged or actual infringements of any rights of privacy, publicity, moral rights, or rights of attribution in connection with MicroAgility’s use and publication of such submissions.

You covenant that you shall not post or otherwise publish on the Site any materials that
(a) are threatening, libelous, defamatory, or obscene;
(b) would constitute or encourage conduct that would constitute a criminal offense, give rise to civil liability, or otherwise violate the law;
(c) infringe the intellectual property, privacy, or other rights of any third parties;
(d) contain a computer virus or other destructive element;
(e) contain advertising; or
(f) constitute or contain false or misleading statements.

MicroAgility does not and cannot review all information posted to the Site by users and is not responsible for such information. However, MicroAgility reserves the right to refuse to post and the right to remove any information, in whole or in part, for any reason or no reason.

Notices of Infringement and Takedown by MicroAgility

MicroAgility prohibits the posting of any information that infringes or violates the copyright rights and/or other intellectual property rights (including rights of privacy and publicity) of any person or entity.

If you believe that your intellectual property right (or such a right that you are responsible for enforcing) is infringed by any content on the Site, please write to MicroAgility at the address shown below, providing a written statement that includes:
(a) identification of the copyrighted work and/or intellectual property right claimed to have been infringed;
(b) identification of the allegedly infringing material on the Site that is requested to be removed;
(c) your name, address, daytime telephone number, and email address if available;
(d) a statement that you have a good faith belief that the use of the copyrighted work and/or exercise of the intellectual property right is not authorized by the owner, its agent, or the law; (e) a statement that the information in the notification is accurate, and, under penalty of perjury, that the signatory is authorized to act on behalf of the owner of the right that is allegedly infringed; and
(f) the signature of the intellectual property right owner or someone authorized on the owner’s behalf to assert infringement of the right.

MicroAgility will remove any posted submission that infringes the copyright or other intellectual property right of any person under U.S. law upon receipt of such a statement (or any statement in conformance with 17 U.S.C. § 512(c)(3)). U.S. law provides significant penalties for submitting such a statement falsely. Under appropriate circumstances, persons who repeatedly submit infringing or unlawful material will be prohibited from posting further submissions. MicroAgility’s contact for submission of notices under this Section 5 is: 
MicroAgility, Inc. | 666 Plainsboro Road, #1116 | Plainsboro | NJ 08536

Data Protection and Privacy

MicroAgility is committed to protecting your personal data and ensuring your privacy. All personal information collected through this Site will be processed in accordance with our Privacy Policy and relevant data protection laws, including GDPR and CCPA. You have the right to access, correct, or delete your personal data. Should you have any concerns regarding your data privacy, please contact us, and we will respond promptly.

Disclaimers

The content and functionality on the Site are provided with the understanding that MicroAgility is not engaged in rendering professional advice or services to you. All content and functionality on the Site are provided “as is,” without warranty of any kind, either express or implied, including, without limitation, implied warranties of merchantability and fitness for a particular purpose.

MicroAgility and its third-party content providers make no warranties, express or implied, as to the ownership, accuracy, or adequacy of the Site Content. MicroAgility shall have no liability or responsibility for any information published on linked websites, contained in any user submissions published on the Site, or provided by third parties. Neither MicroAgility nor its third-party content providers shall be liable for any indirect, incidental, consequential, or punitive damages or for lost revenues or profits, whether or not advised of the possibility of such damages or losses and regardless of the theory of liability.

Limitation of Liability

To the maximum extent permitted by law, MicroAgility shall not be liable for any direct, indirect, incidental, consequential, or special damages arising out of or in connection with your use of the Site, including but not limited to any loss of revenue, profit, or data, regardless of the form of action or the basis of the claim.

Third-Party Websites

We may provide links to third-party websites, and some of the content appearing on this Site may be supplied by third parties (e.g., framing of third-party websites or incorporation through framesets of content supplied by third-party servers). MicroAgility has no responsibility for these third-party websites, which are governed by the Terms of Use and privacy policies, if any, of the applicable third-party content providers.

Governing Law and Jurisdiction

These Terms are governed by the laws of the State of New Jersey without reference to the principles of conflicts of laws thereof.