Please tell us a bit about yourself, your background, and your journey of becoming a CISO for the University of Health Sciences and Pharmacy in St. Louis.
Like a lot of IT people, I worked my way up from technical support. Each role I took offered more responsibility and challenges. I’d actively tell my boss: “Hey, I want this role that has opened up” or “This person is leaving, I’d like to take over those responsibilities”. I think that really proved that I was there to help and excel.
Eventually, I climbed the promotion track at the University and ended up as their CIO. They had a need to develop a cybersecurity foundation where none had existed, and like before, I took up that role and started laying the groundwork for what has become a successful program.
I was eventually made CISO, in addition to keeping my CIO role, and now find myself incredibly busy.
What drew you into working at a Higher Education institution and what does your role within this industry entail?
​The initial role I was recruited for at the University was a Client Systems Engineer. At the time, I wasn’t so much thinking about being in Higher Ed as I was thinking about being offered the next challenge in my career. That role was going to push me to learn new technical skills, new software, and to grow into a more technical person.
Once in Higher Ed though, I really started to enjoy the flexibility of getting to wear multiple hats because there was a need for that, and the benefits provided there were exactly what I needed, like training, education, time off, etc.
I knew I could really start to help. Higher Ed is one of the most targeted industries for cyber-attacks and many institutions don’t have the funds or know-how to secure themselves. I’ve been at a few Higher Ed institutes now and feel quite comfortable helping them build a foundation and process for security.
What are common weaknesses in information security strategies that Higher Ed institutions often overlook?
​Researchers and what they are working on need to be protected. Too many times that gets overlooked and researchers are being targeted to have their intellectual property stolen.
IoT is becoming a bigger concern, mostly from a privacy and data standpoint. A lot of universities are putting “smart” listening devices like Google or Alexa in dorms and we need to quantify what is being recorded and captured there.
What do you think the biggest pain points are in the market in GRC, generally and within the Higher Ed industry?
This isn’t limited to Higher Ed, but defining what cybersecurity and risk are, and what they can do for the business. There is a general lack of a GRC framework and a standard/baseline for what everyone should be striving for. I think that will change in the next couple of years.
There’s a disconnect between users, inside the business or university, not even knowing what their “business” actually is, what they offer and how they make money. It’s hard for many to define at a base level. When you can’t define that, it becomes impossible to identify all the risks and take the steps to mitigate or trigger them.
On a more personal note, what is something surprising about you that not a lot of people in your work environment know about you?
I was the 2014 Midwestern 8-ball Pool champion. Pool is one of my favorite pastimes and an activity that helps me unwind.