By Laurel Skurko and Brendon Phuong. As cyber criminals have become more sophisticated, so has the battle to stop them. That explains why UC Investments, which manages the University of California’s investments ($152 billion in Fiscal Year 2023), and Technology Delivery Services (TDS) at UC Office of the President (UCOP), responsible for providing university-wide tech support, have partnered to create a customized cybersecurity program. The UC Investments Security Program, the first-of-its kind at the university, aims to address the specific needs of a multi-billion-dollar financial institution within a university setting.
The collaboration began in 2021, driven by the surge in cybercrime during the COVID-19 pandemic. Recognizing the security challenges inherent in moving around billions of dollars online, UC Investments, the “customer,” worked with Technology Delivery Services to fortify its cybersecurity measures, including implementing modern security controls, strengthening contractual protections with suppliers, and enhancing cybersecurity training for the UC Investments team.
Enhancing the cybersecurity controls for UC Investment – key success factors
In their interviews with the UC Tech news team, project team members enumerated five management steps that generated success, which included: (1) leadership commitment; (2) customer focus; (3) flexibility; and (4) creating a unique environment, each of which is referenced below.
(1) Leadership commitment
The comprehensive UC project team, led by UC Investments Chief Data and Operating Officer Arthur Guimarães and Molly Greek, chief information officer (CIO) of UC Office of the President and Technology Delivery Services (TDS), included independent consultants, UC colleagues, and technology vendors representing a diverse range of expertise. Crucial to the project’s success was leadership support and dedicated resources. Guimarães said “Not only was this project critical, but it was also enjoyable. We worked well together and appreciated each other’s perspectives and expertise. I give Molly Greek and Van Williams (UC systemwide chief information officer) a lot of credit. They have not shied away from the hard conversations and want us to do more.”
(2) Customer focus
“My team’s priorities were clear,” said Molly Greek, CIO of UC Office of the President and TDS. “We were listening to customer requests and fulfilling them.”
Each member of the team, both from the UC Investments (“customer/client”) and TDS (“service provider”) perspective, understood the magnitude of prioritizing the customer’s need to this extent, as reflected in their comments, below.
Jimmy Castro, UC Investments’ director of investment transaction services, the “customer/client,” said, “The assets are better protected than when we started our journey three years ago. Thanks to the UC team and our consultant partners, we increased our cybersecurity controls more than we ever have.” He continued, “We want to accelerate innovation in the security space, and the UC Investments Security Program has been instrumental in making this happen.”
April Sather, UC Office of the President’s chief information security officer (CISCO), the “service provider,” said the needs of the UC Investments team required a new approach to cybersecurity and customer service at the University of California. “Although UC Investments is a part of the university and the higher education system, its security needs are more specific to the financial services industry,” she said. “Similar to other institutions in the financial services industry, such as Blackstone and JP Morgan, UC Investments is in the ‘trust business.’ They invest funds in the hope of generating strong returns while also ensuring data security for customers. Data security is critical to UC Investments’ reputation.”
(3) Flexibility
Flexibility was key to the project’s success. While the teams had different perspectives on the same issue, due in part to their different functions and areas of expertise, they realized they each had something to learn from one another. To help Technology Delivery Services (TDS) see the situation from their perspective, UC Investments and their consultants prepared evidence to help TDS understand their concerns. Simultaneously, TDS worked to accommodate their new client. They foresaw that, without collaboration, UC Investments might seek the required service outside the UC system, introducing additional risks.
“We speak a different language and have different needs (aka cybersecurity controls),” said UC Investments’ Castro. “Breaking down silos and rising to some of these challenges is not easy but it is critical to progress.”
(4) Creating a unique environment
The UC Investments Security Program team created a separate process to address UC Investments’ cybersecurity needs, which features innovative approaches and products that vary from the UC standard. UC Investments supported TDS with additional funding for three full-time employees and for the additional hardware and software needed to reach their goals. This approach ensured that TDS could dedicate the additional time and energy needed to implement a new program without the complexity of introducing this on a scale, across other UC clients.
UC Investments Security Program deliverables
The UC Investments Security Program, a pioneering cybersecurity protocol, comprises various elements that collectively prevent, detect, and mitigate cybersecurity threats. Key deliverables include:
- The UC Investments Cybersecurity Advisory Board: Coordinated efforts for deploying/running endpoint software, network changes, and unique processes.
- Project Operations Team: A 12-member team maintaining premier support, evaluating new software/hardware, triaging security findings, and coordinating staff cybersecurity training.
- Monthly Cyber Reporting/Dashboard: A comprehensive overview covering penetration tests, risk assessments, security incidents, support requests, endpoint and infrastructure security reports, vulnerability reports, phishing reports, and security training reports.
Conclusions and an open invitation
Ultimately, this partnership provided the opportunity to be agile, pilot new technologies, and identify quick approaches to making improvements for the investments team. It demonstrates the value of collaboration in tackling complex and evolving cybersecurity challenges. Together, the teams have developed a way to prevent, detect, and mitigate cybersecurity threats for the UC Investments team, and they anticipate continuing to work together in the future
Based on its success, TDS will consider introducing elements of these innovative cybersecurity measures with other clients at the UC Office of the President and systemwide.
###
About the new “UC Investments Security Program”
UC Investments is benefitting from the individualized support that TDS is providing based on its specific needs as a large asset manager, distinct from the rest of the institution. This support ensures overall service and responsiveness, reinforcing protection at all levels thanks to new types of oversight and monitoring, technical upgrades, and new training programs, as described, in part, above.
About UC Investments
The University of California’s investment portfolios ended the 2022–2023 fiscal year at $152 billion (about $470 per person in the US) in assets under management. UC Investments, with some 50 employees, manages the University’s retirement, endowment, and working capital portfolios, with each of their financial products tailored to the needs of UC students, faculty, staff, retirees, and the 10 campuses and five medical centers. To learn more, visit the UC Investments landing page.
About Information Technology Services (ITS) Technology Delivery Services (TDS) at the UC Office of the President
Information Technology Services (ITS) Technology Delivery Services (TDS) team at the UC Office of the President has about 250 employees. Van Williams is the chief information officer of the University of California, and Molly Greek is the chief information officer of the UC Office of the President. The team provides system-wide support, managing about 200 IT applications, many of which operate system-wide. To learn more, visit the UC Office of the President Technology Delivery Services (TDS) Annual Review for Fiscal Year 2021-2022
“UC Investments Security Program” team
UC Investments Security Program team members, in alphabetical order, include:
Frank Basa
Information Technology Contractor, Project Manager, UC Office of the President
Shirley Bittlingmeier
Executive Director, Client Services, UC Office of the President
Jimmy Castro
Director, Investment Transaction Services, UC Investments
Molly Greek
Chief Information Officer, UC Office of the President
Arthur Guimaraes
Chief Data and Operating Officer, UC Investments
Greg Herweg
Consultant
Matt Myrick
Consultant
Eric Person
Director of Network, Hosting, and Cloud Services, UC Office of the President
Kari Robertson
Chief Technology Officer, Infrastructure Services, UC Office of the President
April Sather
Chief Information Security Officer, UC Office of the President
Joshua Van Horn
Deputy Chief Information Security Officer, UC Office of the President
Authors
Laurel Skurko
Marketing & communications
UC Office of the President
Brendon Phuong
Marketing & communications Intern
UC Office of the President