The Ohio State University (OSU) has a golf course and a hospital. It has an airport and a hotel, not to mention a college campus full of students. Needless to say, that includes a lot of data. Safeguarding that data isn’t just about encryption and putting up strong firewalls—it’s about getting people to act responsibly.
This is no small task for Helen Patton, OSU’s chief information security officer. After assuming the role in 2013, Patton implemented a security framework to protect the information that the university, its researchers, professors, students, and staff have on hand—sometimes literally, considering everyone’s walking around campus holding smartphones. This framework—which is based on security standards put forth by the National Institute of Standards and Technology—serves as a risk management system for the 65,000-plus-student school.
On one side of the framework is management, governance, and policy; on the other side is the actual IT. To serve both sides of this role, Patton works with a team of about forty-three, plus roughly ten students. In a nutshell, Patton says, “Our job is to assist all the units and people at the university to manage their risk.”
OSU is not unique in the kinds of threats it faces, but it is unique in the number of threats, thanks to how varied the data is at the university. The medical center means OSU must think about the Health Insurance Portability and Accountability Act, the credit card information the university has means it must consider PCI security standards, and the research data means it must be aware of federal regulations.
The school must also ensure the outside technologies it uses aren’t susceptible to breaches. Part of that work depends on the involvement of other universities that might use these same technologies. All of the Big Ten CISOs meet monthly to talk through common issues and challenges. “We see what we can do to be collectively better than we would be individually,” Patton says. That could mean relying on each other’s work to assess vendors they all use.
Within the university, one of the most important tools Patton has is security training and awareness. First, she says, “You’ve got to make people realize that there’s something they need to be concerned about without scaring them so much that they shut down.”
Then there’s training people how to protect their own information. “One really big piece is getting people to manage and protect their own systems, because not everything is stuck in a data center behind a firewall,” Patton says.
A large part of Patton and her team’s approach to information security pertains to the university’s overall distributed management structure. “There’s no top-down command control like there is in some other industries,” she says, such as finance or military. So, getting people to do things takes longer and is more nuanced. “You have to convince people that it’s the right thing to do—you can’t just tell them to go do it.”
The benefit of this approach is that if you get people to actually believe in what they’re doing, then changes in behavior will stick, Patton explains. “I have to implement security procedures and policies that are either invisible to the end user—so they don’t know they’re being secure but they’re secure anyway—or I have to convince them to change their behavior and be happy to do it because if they’re not happy to do it, they won’t change,” she adds.
Distributed management also means that solutions don’t tend to scale well, so Patton and her team must come up with many individual solutions, which often differ across the university. Patton has a security advisory board, with one person from each unit acting as a security liaison. “They’re a great source of feedback and input into what is needed,” Patton says.
It’s this focus on people that drives Patton’s approach to security. She explains her philosophy by telling the story of when she was interviewing for her position at Ohio State and someone said to her, “Wow, you’re applying for this job? This is going to be a really tough job, being responsible for the security of all the data at Ohio State.” Patton sounded taken aback, even when recalling the conversation. “I said, ‘Hold the phone, timeout: I am not responsible for the security of the data at Ohio State. I am responsible for making sure that people at Ohio State have the tools and capabilities to manage the security of their data.’ ”
“We allow people to make decisions about how they work and what they do so they can do their research and they can understand the world,” she says. In higher education, Patton says people don’t want her looking over their shoulders and tracking every digital move they make, as an information security officer might in the private sector.
This approach has resulted in real changes in the information security culture at Ohio State. People are more aware of security as something to be concerned about, Patton says, though this isn’t her doing alone—it’s also that security is a larger part of the national conversation. “People are starting to raise questions about the security of their data without me asking the questions first,” Patton says. More directly related to her work, senior business leaders in the university are now making decisions with security in mind.
That’s absolutely crucial, because the university is in the business of disseminating knowledge. And to properly disseminate knowledge, the university must be certain that the knowledge is reliable and trustworthy. The university must know what kind of data they have, where it’s kept, and that they’re protected and reliable. This, Patton says, “is the major thrust of the work we’re doing at Ohio State.”