Focus on users during pandemic, says university CISO

The key to improving an institution’s cybersecurity posture during the COVID-19 pandemic isn’t about loading up on new tools, but managing users’ workflows and ensuring they continue to be reminded about security best practices, Aaron Baillio, the chief information security officer for the University of Oklahoma, told Scoop News Group in a recent video interview.

At his university, he said, tools like Office 365, Canvas and other cloud-based applications were already being widely used before health crisis began. Some core data systems, like its human resources system, remain on the premises, he said, but technology hasn’t been the emphasis as his team has sought to continue protecting the university’s networks.

Rather, Baillio said, the focus has been on studying how users are using data.

“I think the biggest change the pandemic has brought to cybersecurity is more of a shift in focus to the user in how they access and interact with business data,” he said. “We really had to analyze where the data lives, how it moves through those systems and how we want users to access and interact with that data.”

Baillio said his other top concerns are also largely non-technical. Ensuring users don’t forget their cybersecurity training and that they don’t connect to unprotected networks or forget to patch their devices is especially challenging as staff continue to work from home, he said.

“When people are away from work for so long, I think they tend to lose focus on cybersecurity practices because they’re not getting those regular reminders,” he said. “At work you might have posters or campaigns or other things that just help remind people of what they should be doing and when they’re away for so long, I think without those reminders, they’re not as vigilant as they should be.”

User education, more than anywhere else, he said, is where innovation is needed in cybersecurity. Ransomware attacks, he said, could be made a non-issue for universities and local governments if only they’d back up their data, properly educate their users and not postpone important architectural upgrades for years on end.

At his own university, Baillio said, it only takes a few key tools and a competent security team to cover most of the threats that come his way. There’s no need, he said, to buy every tool out there.

“Instead of trying to plug every single hole in the dam, so to speak, just give me four or five really good technologies and a good security workforce and I think we’d be able to cover 95-99% of most of the issues that come across our door,” he said. “You don’t have to have a security technology for every single market space.”

This video was recorded as part of CrowdStrike’s 2020 Fal.Con for Public Sector Virtual Cybersecurity Conference, produced by FedScoop & CyberScoop.