University of Michigan CISO on cybersecurity and innovation in higher education
May 21, 2024
8 Min Read
Sajid Khan
Don, Thank you very much for taking the time out for this Interview. Can you begin by sharing your perspective on the role of CISO in an educational institution such as University of Michigan?
Don
By design, universities are quite decentralized with an emphasis on innovation and creativity. This freedom and agility is core to the mission of a research university. Freedom and agility is contrary to making security easy. My role is to protect the institution and as much as I can the individuals in the university community.
I have limited authority, so I have to have trusting relationships throughout the University and make progress through influence.
Sajid Khan
What particular challenges you feel exists in your current role at University of Michigan? Are you planning any initiatives keeping in view your past experience?
Don
Research universities are actually very complex. Most people realize that universities have athletics, teaching, research, and patient care. Universities also have facilities, retail operations, power generation, etc. Almost every industry function you can imagine is represented in a research university.
Research universities also have a lot of information that others want and are will to invest significant time and effort to get. Intellectual property, personal health information, credit card information are among the many types of information that universities must protect.
The lessons from my time in the Army really ring true. Information security does not come from buttoning down things as tightly as you can and then making sure nothing gets unbuttoned. Our adversaries are smart and they adapt to what we do. So we have to constantly understand what they are doing and adapt. Security today requires an operational mindset. It is not static.
Sajid Khan
What particular IT Infrastructure and Information Security systems have been adopted by the educational institutions, particularly large universities such as University of Michigan?
Don
I would say the most significant change is the move to the “cloud.” The University of Michigan has a “cloud first” strategy. Culturally, this is a significant change. Many IT staff have been at universities since the earliest days of computing. At that time, they worked on developing the technology that became the commercial standards.
Letting go of that control is difficult. Understanding that in many cases cloud providers can do a better job than we can – even in security – is hard. Understanding how to provide security with cloud providers is new to us. So not only do we have to adapt to leveraging the cloud, but we have to understand how we secure ourselves when much of our information is held by others.
Another change is that higher education is investing more in systems that look deeper to find intrusions. The threats against us include some of the most sophisticated attackers and we are moving to try to meet that theat. A focus on end-users is still important, but understanding what information is the most critical and protecting it with increasingly sophisticated tools is the trend.
Sajid Khan
Can you share some of your future plans for the University of Michigan?
Don
We want to make it easier for our community to do the right thing. Michigan thrives because researchers think up new ways of looking at data and break down barriers between domains. I don’t think we have any school or college that doesn’t have at least some research collaboration with our health system.
Many of those collaborations include ePHI, and so HIPAA compliance impacts researchers across the campus. In some cases faculty are surprised to find out that they have to deal with FISMA, ITAR and other compliance standards. I think providing easier to use tools that faculty need to stay safe while they accomplish the university mission is the key protecting Michigan.
Identifying and creating IT services that are compliant with various standards will help and an important one of those tools. Providing guidelines, guides, consulting and services are necessary for the university to push the envelope while managing the risk.
Sajid Khan
What’s been your impressive achievement in your career so far?
Don
It has probably been outside of information security. In my role at Merit Network I built a team that was able to accomplish some significant projects. We had built a few hundred miles of fiber, but needed infrastructure to serve the rural and remote parts of Michigan. As part of the stimulus program we competed for and won grants to build 2400 miles of fiber.
Not only did we have the challenge of building the fiber, but if you have any experience complying with the layers of sometimes conflicting federal bureaucracy, you can understand the magnitude of accomplishment. Not only did we succeed but were honored as one of the best projects in the country.
During that period we also started the Michigan Cyber Range: a unique training environment for cyber security that gained international recognition. While continuing our day-to-day operations we created two new, unique, and nationally recognized capabilities. Building the team that was able to accomplish that is what I am most proud of.
Sajid Khan
Could you please share your leadership Style? Does your leadership style vary with the role?
Don
Trust is at the core of all leadership. The team has to trust the leader and the leader has to trust his or her team. Within that trusted environment, it is the leader’s role to provide the team with what they need to go further and faster than they thought themselves capable. Training, resources, guidance, support, coaching; whatever they need to succeed.
I think of the leader as an offensive lineman on a football team. They don’t score, they enable the backs and receivers to gain yards and score points. These characteristics don’t vary whether you are an informal team leader or a CEO. The way you apply them varies based on the mission, the individual skills, experience and the maturity of the team.
Sajid Khan
What advice would you offer for other information security / cyber security executives who aspire to follow you?
Don
You are first and foremost an executive and leader in the organization. Your focus happens to be information security. Your role is to help the organization accomplish its mission while tolerating the right amount of risk. You can’t create a zero-risk environment and your organization has to thrive.
Hitting and staying in that sweet spot while dealing with adversaries who are capable and constantly adapting is the challenge. Good executives are invaluable to their organizations and as an information security executive if you are really good – no one will know it.
Sajid Khan
Anything else you would like to share with our readers.
Don
Thanks for the opportunity.
Transform Your Business with Microagility