By David Rusting. As I reflect on UC’s journey managing cyber-risk, particularly over the past four years, I’m proud of our collective accomplishments. Two weeks ago, I was able to share UC’s approach, experiences, and lessons’ learned with higher education colleagues at the EDUCAUSE Annual Conference in Chicago. I want to share them within UC too. We have a lot to be proud of.
UC is an amazing and unique university system, not only because of its diverse missions focused on education, research, health care, and public service, but also because of its distributed, federated governance and decision processes. The balance between unified action and local autonomy is a delicate dance. But the common enemy of cyberattacks and a shared commitment to protecting this wonderful institution have created opportunity. Working together, UC locations have developed a consistent and coordinated approach to maintaining that balance.
A cyberattack on UCLA Health in 2015 was a watershed moment in UC history. It resulted in UC’s having to make its largest privacy notification effort ever – to 4.5M individuals. The size and scope of that event made it clear a new strategy was necessary to protect the UC system and make us more resilient in the face of future attacks.
President Napolitano sounded the call to action and formed the Cyber-Risk Governance Committee (CRGC). Each campus now must appoint one executive, the Cyber-Risk Responsible Executive (CRE), who reports directly to the campus chancellor and serves on the CRGC. The central IT department often has a somewhat limited scope of authority, but the CRE is responsible for understanding the location’s cyber-risks and can remove local roadblocks. Further, the CRE must be kept apprised of and reports incidents to the UC Office of the President (UCOP) – something that hadn’t been regularly occurring – and shares lessons learned with other locations.
Three key themes have emerged as we have developed and fine-tuned UC’s cyber strategy:
- universitywide governance with local authority,
- a focus on risk management, and
- an emphasis on cultural change.
We have learned multiple lessons with respect to each.
The governance model, reflected through our systemwide Electronic Information Security Policy, establishes overall guidance for meeting regulatory requirements, while also providing local authority and flexibility for the implementation of the policy. As we learned through an iterative and collaborative process, it is important to often re-examine the assumptions and beliefs of all stakeholders, including faculty and administration, in order to reach common agreement on the policy and standards. For example, we had assumed locations understood that when they report an incident to UCOP, it did not mean UCOP would try to take control or penalize them. We spent significant time reinforcing the message that reporting is solely to keep leadership informed (in the spirit of “no surprises”), and to enable UCOP to provide assistance, if desired.
Our focus on risk management is another pillar of our approach. Cyber-risk is not just an IT issue, but also a legal, ethical, and financial stewardship issue. It is critical to involve these functional areas in decision-making. We think this is the only way to achieve a level of security that balances the imperative to protect with the essential need to run the university and support the educational and research mission. When an incident occurs, representatives from legal, risk, privacy, and communications are part of the response team. They each bring a separate expertise to the table so that we are collectively better informed and the executive leadership can make better decisions, not only in the moment but also into the future.
Finally, the theme of cultural change has permeated our efforts. Some say UC culture is very hard to change, but as with many things in life, “never say never.” In fact, we have been able to move to a culture of coordinated action. We established systemwide threat detection at all locations, implemented mandatory cybersecurity training for faculty and staff, deployed a phishing simulation solution at all locations, and implemented a uniform escalation protocol and reporting solution for all significant cyber incidents. These unified actions also have helped create a more cyber-aware culture.
Of special note is our cyber insurance coverage, led by Risk Services, which serves as an enabler of better forensics and incident response for all locations. The insurance covers the cost of incident response services, such as forensic analysis and notifications to affected individuals. Despite our best efforts, there will be incidents, but having the cyber insurance provides peace of mind (and lowers our overall risk) when cyber incidents occur.
The advances we have made over the past four years would not have been possible without the collaboration of hundreds of people across the UC system. I thank everyone who has been part of and will continue on this journey. UC is composed of ten campuses and five health systems – each with its own community and culture – yet we have found that we are only stronger when we work together to reduce cyber-risk and, at the same time, ensure those efforts support the culture of independence and innovation that makes UC great.
David Rusting is UC chief information security officer, UC Office of the President.