Practical IT security for higher ed
Curtis Carver’s team is focused on innovation, agility and cost-efficiency.
Since joining UAB in 2015, he has led many successful initiatives, including unlimited email, unlimited storage, greatly enhanced connectivity, a tenfold increase in high-performance research computing, and a new strategic plan that creates a world-class IT organization, which empowers a world-class research university.
How has he done this? By listening intently, acting intentionally and partnering widely.
Carver came to UAB after serving as vice chancellor and chief information officer for the Board of Regents of the University System of Georgia.
A graduate of the U.S. Military Academy at West Point, he has received national and international honors and awards for military, teaching and research excellence.
Got a tech story to tell? Present at UBTech 2019.
Carver is a keynote speaker at UBTech 2019, June 10-12, in Orlando, Fla.
In a nutshell, what is practical security?
Practical security is implementing technologies, policies, education, training and awareness approaches from a holistic, customer-centric perspective. It’s looking at something not as an isolated technology or policy, but as a holistic package that fundamentally changes behavior.
Every organization has some mechanism for authentication and authorization, typically a username and password. When you have misalignment between real security and customer adoption, you have security vulnerabilities.
Real security is not an eight-character password that must be changed every 90 days and that a kid can crack in two hours. It’s a 15-character password. It’s about 500 million times more difficult to hack. Even with a million PCs, a hacker couldn’t crack that password in a month. That’s practical security. It’s that holistic, “customer at the center of the conversation” approach to how you do security.
What are effective ways to implement practical security?
With phishing, you can tell people not to click on links sent from people they don’t know, but it’s completely ineffective. What is effective is a holistic approach in which you’re doing active training in their work environment. They’re getting a phishing message sent by the IT organization every quarter, and then if they click on it, they get educated on why not to click on it.
We modified the reporting processes. You used to have to fill out a help desk ticket, and zip up that email and forward it. Now you just push a “report a phish” button inside the mail client.
It was taking us about 800 minutes to close out phishing attacks. During that time, other people could get attacked. We moved that to 11 minutes. It changed this whole culture of something negative to something positive—something they want to do. Now, they want points, a leaderboard. They want to be the champion of the campus. That’s practical security.
What advice would you offer to CIOs?
We look at the most common attacks of abuse, password reuse, patching, phishing and spam, which should be on the priority list. So many organizations don’t. They’re focused on the least common, the targeted attacks, or other generic attacks—or focused on viruses, which is not a dominant attack vector right now.
CIOs should form that shared governance, look at the use cases, be holistic and put customers at the center of that conversation with the intent of changing behavior in the right direction.
It shouldn’t be done from a Napoleonic “I am telling you to do something” approach, but from building an understanding and reward structure that makes it easy to do the right thing. Then it’s about striking the appropriate balance between security and operational productivity.
Melissa Nicefaro is editorial assistant at UB.