UC Cybersecurity Initiative recognized for innovation, business value
The University of California has won a key industry award for its systemwide Cybersecurity Initiative that’s aimed at effectively managing cyber-risk.
UC was honored at the CSO50 Conference and Awards on Feb. 26-28 in Scottsdale, Arizona for demonstrating innovation, outstanding business value and thought leadership with its Cyber-Risk Management Initiative. In all, 50 organizations, including two other universities, were recognized for their security projects or initiatives.
Chief Information Security Officer David Rusting, Cyber-Risk Program Manager Monte Ratzlaff and Policy Director Robert Smith from UC Office of the President accepted the award on behalf of the university and shared details about the systemwide Cyber-Risk Management Initiative with attendees.
The following is a CSO announcement of UC’s award:
Universities always struggle to find the right balance between implementing strong cybersecurity measures and providing an open academic environment for their faculty and students. For the University of California, the challenge became more pressing and complicated in July 2015, after a cyberattack on UCLA Health.
“Our leadership realized we had to take a different tack for managing cyber-risk,” said CISO David Rusting. “Cyber-risk is much broader than an attack. It encompasses business, legal, and ethical issues, and leadership requires a better understanding of these issues in order to support a consistent and coordinated approach.”
A unique challenge to setting up a universitywide cyber-risk management program was the fact that the university’s 10 campuses and five health systems are highly decentralized and operate independently from each other in many functions, including security. Doing something in a consistent and coordinated fashion among many entities would be difficult. But with leadership support, the university united and launched the Cyber-Risk Management Initiative.
The program is based on five core pillars of cyber-risk management, including governance, risk management, modernizing technology, adopting common solutions and implementing cultural change. These pillars support all aspects of cyber-risk management and are used to drive cyber-risk reduction across all 10 campuses and five health systems.
In just a couple of years, the initiative achieved several firsts for the university: Each location has a designated executive who reports to the chancellor on issues of cyber-risk and is empowered to drive cyber-risk efforts across the location. Consistent risk assessments were conducted across all 15 locations. Threat detection and identification was deployed at all locations, a first for a higher education and healthcare organization of UC’s size and complexity.
Though health systems generally require more stringent security controls than college campuses, “a lot of basic controls in security are horizontal and applicable to all environments,” Rusting said. “Understanding the nature of data, its context of use and the regulations that surround it are critical in order to manage the cyber-risk.
The university also leveled the security playing field by filling technology gaps at campuses with fewer security investments, including adding FireEye threat detection software at most locations, to help campuses meet the sophisticated threats they’re now facing.
The results: UC’s ability to detect and respond to threats across all campuses and health systems went from taking days and weeks to just a few hours. Cybersecurity training was mandated, with nearly 90 percent compliance in the first year and 95 percent compliance in the second year. A leading-edge information security policy was developed, and notifications due to breaches dropped significantly.