Editor’s Note: Since Michael Corn was interviewed for this profile, he has accepted a newly created position with the National Science Foundation as Cybersecurity Advisor for Research Infrastructure. He remains a UC San Diego employee and can be reached at mcorn@ucsd.edu. He is extremely grateful for the support UC San Diego provided him during his tenure, and credits the UC San Diego staff in the Office of Information Assurance, Trust, and Identity, for all the progress of the last six years.
By Laurel Skurko. Michael Corn, the Chief Information Security Officer (CISO) at UC San Diego, recently spent time talking with the UC IT Blog team about his work. He highlighted the need for system-wide collaboration to achieve effective solutions in cybersecurity. The unique choices and serendipitous opportunities in Corn’s career created building blocks for the techniques he uses to ensure teams collaborate in support of improved cybersecurity today.
From musicology to cybersecurity: the career path of UC San Diego’s CISO and how the theme of collaboration took root
“ And in many ways, my career path is completely annoying to people in security or trying to become CISOs…. For me, the career train has taken a kind of scenic route.”
Michael Corn is the Chief Information Security Officer (CISO) at UC San Diego, with over 20 years of experience in the cybersecurity field. Initially, he pursued musicology in graduate school at the University of Illinois Urbana-Champaign (aka “Illinois”) where he was exposed to non-Western music. This taught him about different cultures and their ways of perceiving the world and, ultimately, how to systematically look at problems from multiple perspectives simultaneously – a key ingredient of being able to collaborate across diverse teams. Corn believes that a broader humanist perspective is important in the field of technology as well. His passion for IT and work in astronomy eventually led him to transition into cybersecurity.
Coaching skills – why a CIO taps Corn as first security officer (University of Illinois Urbana Champaign, 2001-2013)
Corn started working in policy development at the system office at Illinois, where he honed his skills in navigating multi-campus politics and fostering collaboration among different stakeholders. While he did not have formal security training at the time, the Chief Information Officer (CIO) recruited him as the first security officer for Illinois. It was his expertise in handling complex institutional dynamics and driving system-wide cybersecurity policies that caught the attention of the CIO. Reflecting on this experience, Corn emphasizes that being a CISO is not just about technical knowledge, but also about coaching the institution to make informed decisions and facilitating effective implementation.
Policy management – how Corn drove a culture of cybersecurity awareness and resilience – in the context of competing factors (UC San Diego, 2017-present)
As the CISO at UC San Diego for the past six years, Corn has continued to excel in his role by using an organizational perspective vs a purely technical one. Corn views his role as one of guidance and leadership to drive a culture of cybersecurity awareness and resilience across the institution. This requires considering various factors such as HR policies, political considerations, and resource allocation.
He says, “We might feel that… ‘cyber risk is so important. It should have more attention.’ It is important that university executives know this…The reality is, the folks that run our institutions deal with risk in many different forms every single day – everything from student health, alcohol abuse, financial health of the institution, facilities….It goes on and on and on. And most of that’s not cyber, but most of it’s also incredibly critical to the health of the organization. I like to think of the folks that run Housing and Dining on campus: they’re feeding and housing the students that are the engine of the institution. [This is] not a cyber problem, necessarily, but it’s important to keep this in mind. Because what I do, I feel is very important. And I do feel cyber is in the ascendancy of something that needs attention. But our institutions are so complex, and so varied, and the layers of risks that exist in them are so multifaceted, that we need to remember that we’re just part – we’re one dimension among all that’s going on.”
When “zealous” meets “collaboration”
Working across deparments
As a leader in a large academic institution, the task of managing meetings and committees is no easy feat. In fact, for Corn, three quarters of his meetings are not even with his own staff. Instead, he finds himself collaborating with a vast array of individuals from different departments, faculties and organizations, providing different perspectives. He considers this type of diversity to be essential to tackling the cybersecurity challenge.
Collaborating across the nation and across the UC
Corn emphasized that “talking outside of my institution, getting different perspectives” is critical. He continued, “For many years, I was involved with other national efforts [such as] EDUCAUSE or Internet2. The exposure to different perspectives – the sharing that teaches you collaboration – is critical to success.” Similarly, he also emphasized that collaboration UC-wide in the area of cybersecurity is ripe with potential, saying,
“At the UC-level, I see opportunities for even more zealous collaboration in cybersecurity because, though there are differences across locations, what we are addressing is the same thing.”
Four critical issues for the future of cybersecurty
The blog news team asked Corn about what the future holds for cybersecurity. He referenced a number of topics, which he discussed in detail, as follows:
- Research cybersecurity – To support research cybersecurity, UC San Diego has built the Cybersecurity Maturity Model Certification (CMMC). This will enforce protection of sensitive, unclassified information that is shared by the Department with its contractors and subcontractors. Further, to certify the security posture of every lab at UC San Diego, the team is implementing UCSD’s Cybersecurity Certification for Research . The framework of this grant can be expanded as federal government requirements increase.
- Passwordless authentication – Corn emphasized the trend of passwordless authentication, which has the potential to significantly improve user experience. For example, the use of biometric authentication methods, such as Face ID and Touch ID, in various applications used in UC campuses could greatly benefit the institution as a whole. However, there are challenges to implementing this technology, such as the integration of 925 applications with the campus Single Sign On solution and the need to deploy software to users without biometric keyboards or hardware. Despite the challenges, Corn remains optimistic that passwordless authentication will be adopted, resulting in a significant improvement in user experience.
- Security training – Corn also underscored the need for further progress in security training. Standard security training has been shown to have no correlation with people’s susceptibility to phishing attacks, he explained. Instead of an ineffective 45-minute training once a year, targeted training should be provided when people need it. As an educational institution, we have an opportunity to innovate in the area of security training, and Corn is excited about the possibilities.
- Salaries – Universities are struggling to match commercial salaries for cybersecurity staff, which could make it difficult to recruit the next generation of cybersecurity professionals. However, integrating security officers with the research mission could make university cybersecurity work more attractive to early-career tech employees.
Corn’s passions outside work: traveling, orchid-raising, and homebrewing
Corn and his wife are avid travelers, but due to the COVID-19 pandemic, their plans have been restricted. However, they are eager to resume traveling as soon as possible. In addition to traveling, Corn has a passion for raising orchids, which he has been doing as a hobby throughout his life. Corn built a small hobbyist greenhouse in his backyard to grow orchids. He finds it rewarding to grow different varieties of orchids and experiment with growing conditions. Another hobby that Corn has been involved in for 45 years is homebrewing. He enjoys the process of brewing his own beer and experimenting with different ingredients to create unique flavors.
[Feature image caption/AltText: Michael Corn, UC Tech Community member, CISO, UC San Diego on the skills needed to lead cybersecurity at the university: Universities are terrific training grounds…because we are we are not a business – we are ALL businesses – we are small city.”]
Video production credit: Joshua Hori, UC Davis.
About Michael Corn
Michael Corn
Chief Information Security Officer
UC San Diego