Why cybersecurity matters in higher education

Q&A with Fred Kwong, Vice President and Chief Information Security Officer, DeVry University

Driven with a mission of creating a cyber-secured environment and empowering students at DeVry, Fred Kwong is on the journey of bringing a change to the world or in his words “becoming an agent of change.”With over 20 years of experience in the Information Security and Technology field, Kwong currently serves as Vice President and Chief Information Security Officer at DeVry University.

Please share with our readers about your current roles and responsibilities.

I have been at DeVry University for over a year. I am responsible for the cyber and physical security programs at the university. Additionally, I partner with our deans to help shape the cybersecurity curriculum for DeVry’s programs. We offer a range of academic programs such as certificates, associate’s degrees, bachelor’s, and master's degrees and I help ensure the curriculum our faculty is delivering is as relevant as possible in today’s digital era. Cybersecurity is such a dynamic field that it's important for us to make sure that the information we are delivering is realistic and relevant to the organizations that will employ our students.

I have been in the cybersecurity field for over 20 years. I started off my professional journey by working in help desks before the dot-com boom days, eventually moving to networking, system administration, telephony, storage, webpage design, and eventually security where I have served for more than a decade. When it comes to working in security, it’s crucial to have a holistic view of the entire organization to ensure we are identifying and tracking cyber risks across the enterprise.

What according to you are some of the challenges in terms of cybersecurity in the education space?

One of the biggest challenges we face in higher education when it comes to cybersecurity is the advancement of the threat actors.

Threat actors are aware that cybersecurity protections in the education and healthcare sectors are less advanced in comparison to the financial sector due to fewer investments and prioritization, something that drives them to target the education and healthcare industries. As a result, education and healthcare institutions are ramping up their security programs, in fact, according to Gartner's latest report, an 11 percent increase in cyber spending is noted. This is a step in the right direction, and I am pleased to see education organizations are taking cybersecurity risks seriously and are making the necessary investments to defend themselves against threat actors.

What are some of the technological advancements that you have implemented lately in your organization?

Recently there have been a lot of advancements in technology and processes, especially in the education space. In terms of technology needs, I think one of the biggest threats we see at DeVry is the proliferation of credential phishing, used for account compromise and ransomware attacks. We are seeing threat actors trying to use compromised credentials and move laterally inside our organizations to download and embed malicious payloads inside the organization. To counter this, we have been making a lot of technology and process improvements by relying more on machine learning and AI-based technologies. We have implemented several processes and technologies aimed at preventing fraud through social engineering messages sent via SMS, email, and other means.

In terms of defense, once a threat actor infiltrates our organization, AI and ML algorithms in endpoint detectors and response technologies prevent the threat from causing any actions. Another area where investments have been made is around processes and recovery. A lot of focus is given to data resilience. We need to ensure that not only our system is up-to-date and operational, but our data is resilient in nature. Additionally, there is more emphasis on ensuring that the right backups are taking place and that those backups are not accessible to threat actors. This way, restoration becomes much quicker should our systems be attacked.

Can you share any project initiative that you are part of lately?

Recently I have been a part of a project to meet FTC safeguard rules. It is related to Gramm-Leach-Bliley Act (GLBA) compliance and certain controls and processes that we need in order to protect the financial data of our students and colleagues. We have implemented several controls to protect the identity of our students and colleagues, such as multi-factor authentication, enhanced security monitoring, and security awareness. In addition, we have enhanced our encryption across the board. We’re also focusing our efforts on incident response so that once an attack occurs, we have the right folks and procedures to handle the situation. We are continually assessing our organization for vulnerabilities, especially in terms of configuration.

"Continue focusing on the fundamentals of security, as they have been tried and tested and will continue to serve us well."

Moving forward, we are planning to put additional focus on access governance across our organization in addition to privilege access management. We also are looking to implement zero trust. We will measure the success of these projects by comparing our organization’s controls against the NIST cybersecurity maturity model and ensuring that we fall into our acceptable risk definition for our organization.

How do you envision the future of cybersecurity space in your organization for a couple of years down the line?

Cybersecurity will continue to be an area of focus for the organization for the foreseeable future. As threat actors continue to target organizations with weaker security postures and look for opportunities to compromise systems, we must continue to invest to combat these threats.

We created a three-year plan that outlines our goals, with the main objective to thwart cyber criminals and ensure cyber resiliency. We tie everything to a risk management framework and ensure we do not overspend on areas we do not need to invest and allocate resources efficiently to address critical areas. We understand that every organization has a different risk tolerance level and data to protect, and hence we define our acceptable risk level to implement appropriate controls and ensure duty of care is followed.

In addition, we strongly focus on the user experience, minimizing the barriers to entering our systems and applications while simultaneously improving overall security. There is no point in implementing security controls if it causes too much friction among our colleagues and students. In the future, our goal is to achieve password-less authentication and implement a zero-trust architecture. With our assets moving to the cloud, we plan to migrate out of our central data center, which requires changing our existing controls. Traditional data center controls may not work for cloud-based solutions, and therefore, we are migrating our controls to the cloud to ensure they work effectively and provide cloud visibility.

Finally, we are closely monitoring the role of AI in the cybersecurity space, given the increasing number of AI-powered attacks. We aim to leverage defensive controls that leverage AI to react at the same level of quickness that the threat actors are. As the cyber security space is continually evolving, we try to adapt to new technologies as well as comply with privacy laws and regulations that govern these technologies.

What would be your piece of advice to your fellow peers?

My advice to my fellow peers is to continue focusing on the fundamentals of security, as they have been tried and tested and will continue to serve us well. Most threat actors are not using zero-day vulnerabilities to gain access to organizations. Having a culture of good cyber hygiene is a must for all organizations.

Advancements in AI and ML technologies have made it much easier for threat actors to act against organizations. Unless we also embrace these technologies, we will be putting ourselves at a disadvantage. Be sure to articulate to leadership both the benefits and cautions of these technologies. As technology leaders in our organizations, it is up to us to ensure we do not dismiss technologies like OpenAI and think through how these technologies can help in automation of our security program.

Additionally, we all must stay active in the security community. Networking with fellow professionals has been incredibly beneficial for me, as it enables us to collaborate and solve problems together. It also helps us to stay informed about new regulations and laws. Cybersecurity is a complex issue; it is essential that our voices are heard by elected officials as they develop new rules and regulations in the cybersecurity space. Therefore, networking with fellow professionals is key to making our voices heard.

Finally, make sure that you are aligning your security goals to those of the business. We must work closely with our business partners to ensure that the data which is leveraged across the organization is shared safely and securely. Without a close partnership with our peers in the business, we run the risk of not having the right level of visibility in order to protect the data accordingly. Work with the organization to understand the business needs and minimize the risk to the organization to an acceptable level.

Healthcare

Financial

Information Security

Data Center

Risk Management

Storage

Physical Security

Machine Learning

Fraud