As part of my goal of becoming a Chief Information Security Office in the future, I have been conducting interviews with CISOs to gain insight and advice based on their experiences in this position. In this edition of the #AskACISO Interviews,  I interviewed Bob Turner, the CISO of the University of Wisconsin-Madison who graciously answered my questions.

Could you tell us something about yourself?

I have been in the IT world for over 37 years and managing or leading telecommunications, networking,  IT and Security teams for well over 30 of those years.  I truly love the opportunity to shape outcomes to be more effective, efficient and secure.  I started in the U.S. Navy and progressed through the ranks over 23 years to retire as a commissioned officer having served on submarines, surface ships, supporting aviation communities, and executive management of shore based telecommunications and information system organizations.  I followed that with an information and cybersecurity consulting career lasting 13 years before I had the chance to return to the operating world as a higher education Chief Information Security Officer. 

What do you consider your main tasks and responsibilities in your role?

My main focus is in the refinement and management of the University’s information security program and the leadership of a team of professionals that includes 25 full time employees and a large contingent of student workers.  This is no small task at an organization that serves 43,000 students & 22,000 employees, which includes faculty and researchers, administrators and support teams; and a significant number of connected education focused business units and visitors.  I like to say there is something new to do every day within the four domains of cybersecurity – risk management and compliance, enterprise systems security, testing and cyber defense tools, and incident response.  My office also has cyber forensics, security awareness and IT policy as principal strengths.

You are currently working as a CISO for the University of Wisconsin-Madison. A university needs to protect a lot of student and employee data. How would you react if there is a databreach and how would you mitigate the attack?

Dealing with data breaches is better when your team actively monitors the activity of nearly 80,000 endpoints and a large network environment that supports more than 34 major businesses within the University.  We follow specific protocols on a daily basis looking for the indicators of compromise and specific signatures that would indicate data breaches.  We back that up with incident response procedures that involve a cross section of experts dealing with technical, communications, legal and risk management aspects of data breaches.  We keep University leaders in the loop and help ensure that the victims of a data breach, whether they are University organizations or individuals, are notified and kept up to date on how we prepare for, identify, contain and eradicate the effects of intrusion.  Then we help orchestrate the recovery back to normal operations and catalog the lessons we learn along the way. 

Mitigation involves the identification of areas where risk is higher and taking the pre-event actions to reduce the risk.

Around two months ago. Equifax had a massive databreach and 143 million users were compromised. There was a critical Apache struts vulnerability in their infrastructure, but they weren't aware of it. The CEO of Equifax said this and I'll quote what he said:

"Smith said his IT department ran a (vulnerability) scan of the system a week after the initial problem was found and did not detect anything was amiss"

Where did it go wrong and why do you think that?

From everything that has been published the “what went wrong” is more likely a matter of what was not checked on a frequent basis.  Patch cycles allow for the opportunity to stop the evil before it happens – in this case the identification and patching of web servers and applications that were vulnerable would have gone a long way to slow down or avoid the attack.  Think of it as practicing good cyber hygiene.  You can only expect success if you inspect and tune up the components of your information security infrastructure that you need to be successful.

We hear every that a company has been breached and the IT department was not aware of it. How in the world can this even happen? Is it because there is a lack of IT management or maybe a lack of technical knowledge?

Cybersecurity is often a “break even” business.  On the best days, when all the security controls function and no data is lost or misplaced, you break even.  The security professionals who know their environment, understand the security needs of their data, and who train to react appropriately are in the business of breaking even.  Even the best security awareness programs that empower the users to do great things and protect information along the way are often just breaking even.  The best of us understand that and work to break even as a measurement of success.  Those who take their eyes off the road tend to wind up wondering where the data went.

What are your business priorities and how do they relate to your cyber security efforts?

Our mission statement includes an understanding that the University of Wisconsin Madison exists to “provide a learning environment in which faculty, staff and students can discover, examine critically, preserve and transmit the knowledge, wisdom and values that will help ensure the survival of this and future generations and improve the quality of life for all.”  My office seeks to support that mission by leading and managing campus efforts to reduce risk. Our strategies include support for the appropriate handling of data, continued diagnostics and good processes and procedures to manage vulnerabilities and in managing the likelihood and impact of cybersecurity risk that comes against our intellectual property and other sensitive information.

How does cybersecurity effectively align to the business?

We seek to add value to the University by managing risk and providing security solutions that minimize threats that may include compromise of research information that can be exploited or cause damage to the University’s reputation.  We align with our stakeholders to reduce or prevent revenue loss through theft of intellectual capital or disruption of services.  I believe effective cybersecurity occurs deliberately.  Cybersecurity lives within a life cycle that is based in people, processes and technology – it is never a single destination – not a one-time project – and really has no end point.

What are the biggest challenges that come with working as a CISO in the public sector? Is lack of budget an issue?

Budgets are certainly a big ball of stress for a CISO.  We have to ensure a sharp point on our pencils to ensure we are adding value to the operations and we have a public duty to reduce unnecessary cost.  Of course that creates other stressors like ensuring we have the right experts and we treat them right.  We need to keep away from activity that does not make sense.  We work with some of the smartest people in the world and who need to keep focused on their research and teaching, which makes it our challenge to minimize the impulse to do cybersecurity just for the sake of cybersecurity.   

A quick looks tells me that University of Wisconsin-Madison has a lot of websites. How does your team protect them and do you think that most of them are pretty secure?

We manage the security of our websites by monitoring on a frequent basis.  Of the more than 7,000 sites currently operating, less than 20 percent of them have issues that cause me even mild concern.  Considering many of the websites we monitor are spun up quickly and for short periods of time with many that are not handling high or moderate risk data, I would say we do real well to protect these important assets.

HackerOne has fixed more than 55000 vulnerabilities in different organizations. Most of the companies like Uber, Yahoo, US Dept of Defense are also happy to being a part of HackerOne. Do you think that there is a chance that University of Wisconsin-Madison will run a bug bounty program in 2018? If yes, could you give us more details about it?

I am not familiar with HackerOne’s track record.  While there are many discussions about how we can incentivize the University community to report bugs and flaws, I am not aware of any plans for bug bounty programs in the foreseeable future.

Marten Mickos. CEO of HackerOne said that just one vulnerability or a missing patch could potentially affect your whole organizations. Could you give us advise on how we can stay up-to-date to the latest vulnerabilities and the newest security threats?

We win when our community practices good cyber hygiene.  This means we know our data, hardware and software applications and take the appropriate measures to ensure we are patched and protected against vulnerable systems and we have the ability to recover form a cyber-related incident with minimal time to detect cyber events and a rapid cycle of remediation and recovery.

Do you guys teach students about cyber security related kind of things?

We promote awareness of cybersecurity through understanding how hackers work, which could include lessons in ethical hacking principles and tools.  Our Cybersecurity Operations Center is staffed by a cadre of students who learn the art and science of protecting the vast UW-Madison environment.  They are the future of cybersecurity!