Voices in Tech: Building an information security program from the ground up

Inclusiveness and patience are key to success, says Tom Dugas, chief information security officer at Duquesne University
By: | May 21, 2019
TOM DUGAS began his role of chief information security officer at Duquesne University in Pennsylvania by building an information security program from scratch.TOM DUGAS, chief information security officer, Duquesne University, Pennsylvania

As the first chief information security officer at Duquesne University in Pennsylvania, Tom Dugas began by building an information security program from the ground up.

This effort had its challenges and rewards, and there were many lessons learned. First, he focused on supporting the mission of the university. Second, although there were times he felt he had bitten off more than he could chew, he stayed focused and brought the program along slowly while collaborating to bring the rest of the organization into the process. Then, he educated and informed those up the chain about what the university is obligated to do and where support is needed.

Dugas shares how he learned to balance supporting the university’s mission with making progress on a new program, as well as the ways he brought others along on the journey with him as he led from the middle and managed up.

Dugas will present “Lessons Learned From Building an Information Security Program From Scratch” at UB Tech® 2019, to be held June 10-12 in Orlando.


Where did Duquesne find a need for an information security program?

A lot of people were handling security, but in silos and not aligning services across the organization. If an incident were to occur, we didn’t have practices in place to face a university investigation or litigation. We focused first on policy and procedure, then on transparency and visibility. We wrote a data governance policy to help classify and identify what data we had at the university and how we had to secure it.

How did you address the second stage of implementation?

We needed to understand what risks the university had and how we were going to respond to them. We formed an external group that does an information security and maturity assessment and validates where we are compared with our peers on a variety of different topics. The nice thing about that maturity index is that it crosses all the major frameworks for information security to see where you stack up against the industry standards. Having that independent assessment and benchmark to start our program helped us understand and identify that we had a tremendous number of gaps. We now do the assessment every two years.

We’ve put in a dozen technologies in three years; most organizations typically do that over 10 years.

What were some of the challenges of building an information security program?

We wanted collaboration. Oftentimes, it can be seen as an us-versus-them consideration in which you have a security team telling everyone else what to do and not being vested in that decision-making and improvement process. We wanted people to understand that the baseline work was to ensure that the privacy and the protection of the university was first and foremost. We set forth a number of goals and objectives related to policy, procedure, practice, visibility, transparency and baseline protection. I didn’t have a single staff member. We had a virtual team with representatives from IT, HR, student organizations, general counsel, university police, and communications and marketing coming together to solve problems as part of an organization.

Talk about some of the rewards and successes you’ve seen over the past three years.

We have ingrained security into the standard operating procedure—not just within IT, but across the organization. We have a roadshow with our faculty, employees, students and administration to help them understand that information security is everyone’s responsibility. They all take a vested interest in ensuring that they’re asking the right questions of vendors, partners and employees, and when a risk happens, they’re notifying us. We’ve put in a dozen technologies in three years; most organizations typically do that over 10 years.

What lessons would you share with higher ed leaders who are building an information security program or are not as far along as you are?

Don’t bite off more than you can chew. You may set these timelines years out in advance, which we did, but things tend to change and timelines tend to shift. Be flexible, but don’t give up hope that you’re going to get it done.


Related: Fraud protection on campus


Also, the only thing an information security program really does is focus the attention on information security exclusively. A shift of work for others across the university is needed to make it successful. The team has to make sure that we are serving the mission of our university. Our job is to make sure we are putting the right controls and protection in place to serve students. If we build that into our normal practice and if we think about that in everything we do, we will always balance out the risk versus reward in terms of how we’re serving the community.

Interested in technology? Keep up with the UB Tech® conference

Melissa Nicefaro is deputy program director for UB Tech®.