The view from a small college CIO: Infosec is getting harder to do.

Ravi Ravishanker is the CIO and Associate Provost at Wellesley College in Massachusetts. He has been in IT for many years, and supports an organization with more than 1400 faculty and staff. I spoke to him in September 2016. “Information security has continued to be one of the highest priority for every one of the IT organizations I have worked for. The only difference is that it has become harder and its relative importance compared to the other things we have to do has gotten higher, which results in much higher resource allocation to security across the entire institution.”

He recalls back in 1986, when he began his IT career. He was writing code in assembler for a VAX VMS. This was done to make it faster to execute. “However, we made a programming error to have one user send a file to another using TCP/IP. Because of an internal security lapse, the students found out they could send someone else’s files using our program. It didn’t take long to fix the problem, fortunately.” Coming into the modern day, he finds that vulnerability scanners are one of his most important security tools. “This is because they expose vulnerabilities about network ports that shouldn’t be open. Similarly, scanners that test our web apps for a range of vulnerabilities are also essential.”

“We realize that given our limited resources, we have to be very diligent. First and foremost, data and network security needs to be a priority for everyone in the IT organization, not just a select group of security administrators. Also, security is a joint partnership between IT and our users; it is a shared responsibility of the entire the enterprise. If our users aren’t following best practices, they can expose our enterprise to data security issues. Security is a critical part of everything that we do.”

To date, he hasn’t seen much in the way of insider threats at the college. “People in higher education have a sense of loyalty to the institution, and we place a lot of trust in our employees. While insider threats are always a potential issue, we are in a space where it is minimal.”

The college has moved into the cloud and continues to increase its cloud footprint. “We try to do as much due diligence when we sign up with a new provider and make sure that they are giving us the security that we need. We thoroughly review the contracts and agreements from security and compliance perspectives before signing up with a provider.”

“We are a fairly small IT organization and currently our user services, which manages desktop support, and the systems and network groups are all under one director. This works really well in terms of information exchange between the groups and easy access to the systems and network engineers. However, we recently decided to reorganize this group and we hope that this relationship will be preserved because this relationship is critical from information security perspective.”

Like what you are reading?

Subscribe to Inside Security!



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.