When David Sherry became Chief Information Security Officer at Princeton University, he says cybersecurity was done well.
"I don't want you to think security at Princeton was some sort of vast wasteland. On the other hand, few outside of IT or security were really thinking about security and we needed to change the security culture of the university. I wanted to make security both cultural and programmatic."
The start of creating a culture of security: assemble the right team
Sherry recently joined us on our series of SecureWorld Remote Sessions briefings to share his experience over the past four years as he and his team created a culture of security.
The first thing he did was assemble a team, and that team bought into and helped develop the vision.
"What an opportunity I had, a new department, a new model, a new strategy for information security at Princeton University," Sherry said. "I don't take that for granted, and I know it's a rare occurrence. My team had a blank slate, we had an opportunity for a blueprint in front of us to design and create."
Sherry brought to Princeton his 25 years of technology experience, 12 of which was in higher education as the former CISO at Brown University. So he clearly understood the scope of the effort.
"In many ways, leading a security mission out of a university is like securing a city. Think about what we have to protect; students, faculty, and staff, yes, but there is so much more," Sherry said.
Princeton has a fire station, historical buildings, restaurants, a rescue squad police force, critical infrastructure, libraries, a power plant, sports facilities, concert halls, retail stores, a transportation system, museums, conferences, visiting dignitaries, and more.
Developing a culture of security: the mission statement
"This was and is about culture change. And as we all know, changing culture, not an easy task, especially in such a complex vertical as higher ed where we're defined by principles of academic freedom, openness, cross institutional collaboration and research, and quite simply, myself and my group can't get in the way. We can't hinder any of the teaching, the research, or the learning, and we have a lot to cover," Sherry said.
So Sherry's team developed the following mission statement:
"The mission of the Princeton University Information Security Office is to make information security programmatic and cultural on campus in order to support the university in its mission in teaching and research."
How do you assess your current cybersecurity culture?
The first few months at Princeton, Sherry explained, he focused on assessing the culture of the university.
He spent time observing, listening, and talking with people in every department and facet of the school. Along the way, he was gathering data and formulating a plan, but no actions were taken.
"In fact, the CIO requested that he wanted no actions taken in the first three to six months. He really wanted me to embed myself in the current culture and asses before I started…. I immediately started to create partnerships and establish positive influence with key areas across the campus. Some were the normal areas like centralized IT staff, but there were other areas, as well: public safety, procurement, records management, the trustees…. It was important to establish the relationship, and more importantly, to establish trust," Sherry said.
One way to establish trust was to prove that security wanted to enable things.
"This was done by finding that one little nagging complaint, or piece of low hanging fruit, and getting it done. That took a lot of quick research and working through the nights at first, but when I came back with a solution or explanation, the relationship was getting off to a solid and rapid start."
Sherry explained that in the first few months his team wrote a strategic plan, created a staffing model, and set a foundation to hit the road running.
"A recent risk assessment began to expand, and we started a publicity blitz…. The key element in our success is consistency. Programmatic and cultural would be hard to obtain if the game kept on changing," Sherry said.
Security culture: the security team and everyone else
Sherry explained that he (the CISO) would have no operational responsibilities in the beginning to focus solely on the execution of the mission.
"The IT security was being done with excellence, so we were going to leave that going while we assessed our strategy, and the operational responsibilities would come later."
Sherry's team developed four staffing verticals to focus on—Architecture, Engineering, Risk & Analysis, and Awareness & Training—and was able to fill all the roles with internal Princeton staff.
"That was important to establish credibility, but also to take advantage of institutional knowledge…. None of these hires had a mindset of 'we've always done it this way,' which was key to our initial, and even ongoing, success," Sherry shared.
Security culture: redefine how security sees end-users
Can you build a robust security culture if you believe or communicate that end-users are the weakest link? Sherry does not think so, and he openly shared his distaste for this motto.
"Ugh, classic example of negative reinforcement. It almost gives them the authority to fail in their security actions because you are expecting them to. At Princeton, we see our community differently, we see them as 'Guardians at the Gate.'
My team couldn't be everywhere at every minute, so why not make the community part of the team? If you have every member of your community empowered to be part of the solution, you've made a huge step towards changing the culture.
Some of this is tools, some of it's solutions, some of it was resources we provided them, some of it is pure psychology. But all of it assists in culture change," Sherry said.
Security culture for faculty and staff
"We follow the NIST Cybersecurity Framework, but we also needed a way to depict to members of the Princeton community what we actually do. It's really easy for our leadership to remember 'detect, respond, recover,' but how do we really show them the value proposition outside of the cybersecurity framework?" Sherry said.
This led Sherry's team to create a diagram depicting how they "secure, sustain, and support," all while explaining the mission and strategy behind it. One area of the diagram is Risk Management.
"If you are in security, you are in risk management. While my group covers traditional areas such as business continuity, disaster recovery, IT risk assessment, one area that has provided high value to the university, and strongly aids in programmatic and cultural thinking, is our pre-assessment process called the Architecture and Security Review (ASR)."
Security is now a programmatic, or an automatic, part of evaluating a technology the university would like to utilize.
And the goal is to enable what students, faculty, and staff need to do:
"I am not here to say no to a researcher or grad student or student who has a great idea. I'm here to securely enable that research and the teaching and learning, and not get in the way.
Higher education is obviously a much different culture than corporate, and finance, and government, and other verticals. I had much more authority when I was working in financial services," Sherry said.
Launching weekly roundtable discussions around risk
Sherry explained that a team of 15 subject matter experts covering all aspects of risk—including contracts, network security, APIs, integration, user experience, privacy, etc.—gather once a week to share ideas.
At least it started out to be once a week. Now his team has been a part of 40 risk roundtables in just four months. Not only is the roundtable helping assess risk, but it is building the culture component, as well.
Position Papers on security to supplement policies
According to Sherry, Princeton is very light on policies, so the security team came up with a brilliant workaround: Position Papers. They provide guidance while having the support and backing of the ISO.
"The technical community loved this offering, especially those in the decentralized IT groups, because by using the Position Papers leverage, the authority is placed on the ISO, or the CISO, when they want to use them in their areas. In a sense, we sometimes play the role of bad guy so that they can maintain a positive relationship with those they directly support…. It's not easy to change a policy, but not so with Position Papers. The community loves them, we love them, and it's had a real positive impact on our culture," Sherry said.
Providing a CISSP certification training at Princeton
According to Sherry, Princeton provided in-house training for those who wanted to earn CISSP certification. They had 22 people apply; 19 became CISSP certified.
"This, my friends, can impact your culture in a big way. I was telling some peers in higher ed about this as we were doing it, and they said, 'What, are you crazy? They're all going to think they're the CISO,' and I said, 'Yeah, that's okay. If they're thinking like me, and thinking like a CISSP in their individual departments, I'm okay with that.' I mean, who wouldn't want a CISSP in every area?" Sherry said.
Strong security culture can speed adoption of new tools
"I'm not a tool guy, however, they do serve a purpose as we all know, and we've had great success in implementing a few over the last three-plus years that I've been here. We had a recent roll out of a password manager, for example. Our tools have been accepted and embraced, partly because of the reputation that the ISO has created in other areas of our mission."
Launching a campus security discussion around risk
"You get them to understand the threat is real, and that they are the target! One of the biggest issues is phishing, like it is with most people, and it's not going to stop, so we thought strategy wise, that was the first place to start."
This led Sherry's team to launch the virtual phish bowl where they raised awareness and communicated the risks.
"At the heart of our awareness and training philosophy is the focus on what's in it for them. What will appeal to people? How can we get their attention? Why should they care? We believe in building good security through habits, like putting information security into the right context, making it personal, making it understandable... through repetition, and let's reward good behavior," Sherry explained.
According to Sherry, his team focuses on making learning fun through gamification, prizes, movie nights, live classes, and plenty of learning opportunities that are personal, like keeping your family safe online and securing your home network.
Additionally, the security team has a presence at school-wide functions such as freshman move-in day.
"We (the security booth) actually got a complaint because we were causing too much traffic. How cool is it that the security office was getting a complaint because too many people were stopping by their booth!" Sherry said enthusiastically.
Measuring a culture of security using metrics
According to Sherry, his team measures its success using the following:
- Tracking the number of incidents seen on campus
- Number of visits and submissions to the phish bowl
- Paying attention to employee feedback
- Attendance at trainings
- Behavioral changes such as the adoption and uses of technology like the password manager
And there is more to unpack here.
Web conference on making security programmatic and cultural
We highly recommend you take the time to watch the SecureWorld Remote Sessions episode so you can hear David Sherry's journey in developing Princeton's security program in its entirety.
Thank you, David, for helping with SecureWorld's mission of connecting, informing, and developing leaders in cybersecurity.