Interview: securing the University using NIST’s Cyber Framework

College and university campuses are notoriously difficult to tame. In this one-on-one interview, I speak with Plamen Martinov, the Chief Information Security Officer for the Biological Sciences Division at the University of Chicago about how his organization has used NIST’s Cybersecurity Framework to create a security lingua franca at UChicago and improve the organization’s security posture.

Universities are bastions of creativity, learning and invention. But, from the perspective of information security, they’re Petrie dishes: breeding grounds for all manner of threats and attacks. Put aside the freshmen downloading pirated videos and the would-be Sean Parkers and Mark Zuckerbergs hatching their new startup. Universities develop and sit on reams of valuable intellectual property and research data on everything from Quantum computing and the environment to national defense.

University faculty are sought after by government agencies and private sector firms alike. Universities function like small cities, with public safety officials, physical plant alongside cafeterias and stores processing hundreds or even thousands of credit card transactions each day.

Add to those challenges the wrinkle that universities are often very decentralized IT environments, with department- lab- or even facility based IT environments, separate IT teams and a wide range of endpoints. In short: university networks are high value, high risk and damned hard to secure.

Hard – but not impossible. At the recent RSA Conference in San Francisco, I had the opportunity (thanks to SL sponsor Veracode *) to sit down with Plamen Martinov. Plamen is the Deputy Chief Information Security Officer for the University of Chicago and the CISO for the University’s Biological Sciences Division.

In this conversation, we talk about the challenges of securing diverse and dynamic IT environments like University of Chicago’s where, as Plamen puts it “openness, and freedom of expression, including freedom of exchange of information is the core principles of the organization.”

Plamen Martinov is the CISO of the Biological Sciences Division at University of Chicago.

One tool that Martinov has found useful in managing the chaos is the cybersecurity framework published by NIST.

In this conversation, I talk with Plamen about the challenges facing CISO’s in the education space and the value he has found in using the NIST framework. We talk about how he went about getting UChicago’s many, different IT groups to standardize on it.

Paul Roberts (Security Ledger): So tell us a little bit about your work as CSO at University of Chicago. Obviously the (higher education) space is one with very large, complex organizations. So as Deputy Chief Information Security Officer, what’s on your docket? What are your main responsibilities?

Plamen Martinov (University of Chicago): Yeah, exactly. So the University of Chicago is like a big village. There’s many different operations going on. I actually have three different titles – that’s how complicated things are.

Paul Roberts: Okay. And three paychecks right?

Plamen Martinov: Yeah, so yeah, unfortunately it doesn’t work that way. You can get titles very easily, but you can’t shut them off. So I’m the Chief Information Security Officer for the Biological Sciences division. It’s one of the largest divisions within the University. We have about 5000 employees, and we do patient care, education, and research. My focus in the division is on research. So it’s very exciting, because it’s always leading edge technology, and we always try to do different things.

I also have a title as a Deputy Chief of Information Security Officer for the University. This is where we have a connection with the University’s Chief of Information Security Officer, my peer. And we try to scale the things that we do, or try to exchange ideas in a way that we build it once and use it many times.

And my last title here would be the Risk Management Director for the Center for Data Intensive Sciences. Our primary focus is cancer research, and building informatics services, and data commons. Essentially platforms that faculty, and different researchers can ultimately do research on cancer.

Paul Roberts: Okay. Those sound like three big jobs.

Plamen Martinov: Indeed.

Paul Roberts: I guess as you look at that, what are your top concerns, or what are your top headaches as a Chief Information Security Officer? What does the risk landscape look like for you?

Plamen Martinov:  It’s a little bit of everything, but I guess if you have to prioritize in our environment, we try to balance data security, with data accessibility. We’re building into an environment where openness, and freedom of expression, including freedom of exchange of information is the core principles of the organization. And so we always try to find a balance between security, compliance, and also data accessibility, where we can allow researchers to do the research they need to do, and exchange ideas, and information freely.

Paul Roberts: Okay. And I’m guessing all those labs, you’ve probably got a ton of equipment, a lot of unconventional end points.

Plamen Martinov: Right. So we have about 900 faculty. And there are appointees within the Biological Sciences division. Each of them is a researcher during the day, may see patients in the afternoon, and also does lectures, and teach at the University at some point, and so that wear three different hats.

Our job is to make sure that we have consistent security practices, no matter which part of the organization they’re working on, because consistency’s one way to ultimately achieve some of the security, and compliance requirements that we’re trying to get to.

Paul Roberts:  One of the ways you’ve done that is by embracing the NIST cyber security guidelines. And you’re actually giving a talk on Thursday about your experience kind of implementing those, and working with those. I guess for folks in the audience who might not be familiar with the NIST cyber security guidelines, talk a little bit about what is involved in those.

Plamen Martinov: Yeah, so we were the first implementers of the NIST cyber security framework. It was published in 2014. It was the result of an executive order that was issued a couple years prior to that. And NIST obviously has always done a great job and a very thoughtful job developing something new.

The premise behind the framework is such that there are so many different frameworks out there, but yet everybody continues getting breached and the expenses continue to rise, data breaches and information continues to leak. So the team that developed this framework had one goal in mind: do it differently than all the rest of the frameworks. Apply a different methodology behind it. And the framework is ultimately made up of best practices and guidelines, just like any other framework. It has five functions. It has 23 different categories, and then they’re split into 108 sub categories.

What makes this framework different than any other frameworks is that it is outcome based. It helps you drive to a certain state and maturity in the organization, rather than some of the other frameworks, which are more compliance based.

The second thing that we like about the framework and why it works in such a decentralized environment is that is creates common language with which you can communicate. So we now have the same dictionary, same words, same definitions, that we’re communicating up to the leadership and down to the tactical and operational level. So that’s been a unique component of it that’s really helped us increase resiliency and reduce risk within the organization.

Paul Roberts:  At a practical level, as you went to implement this, what changes did it compel in the way that you were doing information security across, again, this very large and diverse organization.

Plamen Martinov: Right, so here is an example. We have 23 different departments. Each of them is structured depending on the medical discipline, like family medicine, anesthesia, surgery, and so on. Each of these departments has their own IT team reporting locally to the department, just like their own HR. So essentially 23 companies. What we’ve been able to do with the framework using the same language is start and create a baseline of where we are today, and work with them slowly to increase that security maturity levels and create some consistent processes. So when we first started this about four years ago, I had 23 different (Dell) WYSE house servers built, 23 different WYSE house computers were supported. And now we’re getting to a level where it’s a little more consistent, and not only because I used a compliance stick, but because they understand that they’re part of the process of maturing the operational level in the organization.

Paul Roberts: Right, I mean one of the challenges with frameworks, right, is obviously they tend to be adopted at the top levels but then evangelizing them down to the rank and file is harder. So how have you done that?

Plamen Martinov: One way we did this is we added a three-dimensional view when we created the baseline so we focus not only on the technology aspect of it –how well they’re doing or how bad they’re doing. We also looked at people, process and technology. And we work with each of the departments to baseline their current levels and we developed the target state of where we want to be next year and the year after that and we continuously measure it every single year, year after year.

They were part of developing the baseline and they were part of assessing themselves, and so they’ve been partners with us throughout the process. So not only are we working with them, but we truly partner with each of these departments and IT teams in order to increase their operational level and maturity which helped us reduce risk ultimately.

Paul Roberts: One aspect of the NIST framework is focused rightly on incident response. So not only, you know, identifying that some kind of cyber event has occurred but actually then responding to it, remediating it, setting up the conditions where it doesn’t recur.

Paul Roberts: That can be hard for a non-profit organization. It can be hard for an organization that doesn’t necessarily have the resources to invest in a bug hunter or in people to do IR and remediation. How have you managed that within your organization? Is that a skill set you needed to bring on or did you just kind of cultivate those skills within your existing staff?

Plamen Martinov: That is tough question and it’s something that we continue to struggle with. But you know, one thing that we’ve been trying to instill with everybody is that security is everybody’s responsibility. I mean, we did create a structure and bring people in and we’re structured into a blue team, a red team, and a purple team. And so each of these teams has specific functions and roles in organization. But what we try to do ultimately is drive the responsibility component and help from the IT people, because we’re a team of eight people, but we’re supporting a staff of 120.

So, if we want to get them on board to help us, we tend to do tabletop exercises with them — get them in a process, help them understand what we’re doing. Help them understand that the things that we need to do are the things that we need to do so that when we do have incident, they’re part of the solution and they don’t feel like we’re just barking orders at them.

So that’s been very helpful in that case scenario and we still have a lot of work to do in that part. I think we are in a definitely a more mature state, but we are really focused on improving processes and working with people over technology. And I think that strategy has really helped us to drive that component that security is everybody’s responsibility.

Paul Roberts:  I know one of the challenges in the higher ed space, especially in a research environment like University of Chicago is the folks who are running these labs are scientists, biologists, chemists. Their main interest and priority is not information security, right?

Plamen Martinov:   No.

Paul Roberts:  They’re trying to get their research done. Fulfill their grant, get a new grant. And they’re the Captain Ahab of their lab, right? So they don’t want somebody from IT coming in and telling them to do anything differently.

Plamen Martinov:   Right.

Paul Roberts:  How do you deal with that?

Plamen Martinov:  So one way we’ve done this is we’ve created a governing process where we put our faculty, our researchers in the driver’s seat. So essentially we have a board of directors for cyber security program and everything we do, we take it through them and when we reach an agreement they become our champions with the rest of the faculty, and that’s been very successful on our part. Again, our job is to make sure that we instill the concept that security is everybody’s responsibility and partner up with people, faculty or IT people to achieve some of the goals that we have. Hopefully they’re not listening to me, but one way I try to describe it in simple way is we kind of boil the frog slowly.

Paul Roberts:  I like that idea. Okay. You know folks out here in the audience who might be at organizations that would benefit from starting to tack towards having the NIST cyber security framework implemented within their organization. What’s your advice to them on if they haven’t started on that process, or it’s not something they’ve looked at. How should they get going?

Plamen Martinov: Yeah, absolutely. There’s a lot of resources, there’s a website that NIST has created specifically for the cyber security framework. And the first thing you want to do is ultimately develop your profile — where you think you are today. That takes a little bit of time and that takes a little bit of judgment, but developing that profile…

Paul Roberts:  Take a self assessment?

Plamen Martinov: Pretty much as a self assessment. Additionally, we have a free tool that is something that we offer to departments to baseline themselves against where we want them to go. And you could use that tool in a way to quantify where you have gaps. You can go to our website and search for the tool. It’s an easy 20 minutes to complete it. You can figure out where you are today and then have a discussion with your leadership of where you want to go next.

So, I would say that the one thing that made us the most successful in this process is that we set up governments and we put our faculty and business in charge. That’s ultimately the primary reason why we’ve been so successful with this.

Paul Roberts: Plamen Martinov of University of Chicago, thank you so much for coming on and talking to us on security ledger, on Veracode live with the security ledger.

Plamen Martinov: Great, thanks Paul, thanks for having me, I appreciate it.

(*) Veracode is a sponsor of The Security Ledger. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.