Don't Forget the Fundamentals

Don Welch, Vice President for Information Technology and Global University Chief Information Officer, New York University

Don Welch is the Global Chief Information Officer at New York University, leading IT strategy across its international campuses. He’s held leadership roles as CTO, CIO, CISO, and CEO, bringing firsthand experience in nearly every technology area. Welch began his work in cybersecurity while teaching at West Point, where he helped build one of the first national programs in the field. His focus today remains clear: build strong teams, align tech with mission, and deliver results that matter.

Through this article, Welch emphasizes that cybersecurity relies on IT teams consistently applying basic security practices, not just on advanced tools or cybersecurity staff.

Fundamentals, by definition, are the building blocks on which any activity is built. Looking at sports, the perfect football play fails if the linemen don’t block, the quarterback doesn’t throw accurately and the receiver doesn’t keep his eyes on the ball. Cybersecurity is no different. The best cybersecurity program that uses best-in-class tools with highly trained staff will fail without system administrators who have solid fundamentals.

Security fundamentals are not the responsibility of the cybersecurity team, but the IT team(s). The cybersecurity team may have a role in monitoring and reporting on how well IT executes the fundamentals, but the responsibility falls to IT.

Suppose we think about policing as an analogy. Police departments have awareness programs that tell people how to protect themselves best. Many will visit a home or business by request to advise on the best measure to take. They actively patrol to catch criminals in the act and investigate after a crime. The cybersecurity team can be thought of as the police force.

“A secure backup of the systems and a robust disaster recovery and business continuity plan that is tested are foundational capabilities. This is not a complete list, but it does touch on the fundamentals of professional management of IT systems"

The IT team(s) are the equivalent of the home or business owners. The home or business owner and the people who live and work there are responsible for installing doors and windows appropriate to the threat, locking those doors and windows and taking all the proper actions.

We depend on the IT teams to patch the systems, using automation if possible. The IT team must ensure unneeded ports and services are turned off, default passwords are changed, strong, unique passwords are used, and password lockout policies are in place. The IT team must enforce the principle of least privilege on file systems and sensitive data.

Administrator accounts must only be used when necessary, and multi-factor authentication must be the rule. Regular reviews to find and purge accounts no longer valid, such as departed staff, must be a standard process. Remote access has to be restricted and through a secure protocol like SSH. The concept of a perimeter defense is dead, but that doesn’t mean default deny should not be in place at all borders. Encryption of sensitive data is a must. A secure backup of the systems and a robust disaster recovery and business continuity plan that is tested are foundational capabilities. This is not a complete list, but it does touch on the fundamentals of professional management of IT systems.

Going back to the sports analogy, I have a friend who was a great college basketball coach. After he retired, a pro team hired him to coach the fundamentals. They knew the importance. An IT team that executes the fundamentals well is an efficient and high-performing team. Documented, standardized processes minimize mistakes and make incident and problem resolutions faster. The most advanced AI capability is worthless when an organization's data is unavailable due to a ransomware attack. It is easy to lose sight of the fundamentals as the business demands the next value-adding capability, but you’ll do so at your peril.

Sports

Disaster Recovery

Business Continuity