In this Podcast:
Welcome to a special series of the Global CISO Forum Podcast honoring the EC-Council Foundation Infosec Tech & Exec Awards Finalist! For the next three weeks we will be interviewing the best and brightest in infosec who have been named finalists for the CISO of the Year, Certified CISO of the Year, Most Improved Security Program of the Year, and Most Innovative Security Project of the Year. Learn more about our finalists here.
Welcome to a special series of the Global CISO Forum Podcast honoring the EC-Council Foundation InfoSec Tech & Exec Awards finalists. For the next three weeks we will be interviewing the best and brightest in InfoSec who have been named finalists for the CISO of the year, certified CISO of the year, most improved security program of the year, and most innovative security project of the year.
Welcome to the Global CISO Forum. The podcast for information security executives.
With us today is Medha Bhalodkar, and she is the CISO of Columbia University. She is also a finalist for the CISO of the Year nomination. The award ceremony will be next month in Atlanta Georgia at the InfoSec Tech & Exec Awards gala. Medha may be winning that award next month. We hope so. Fingers crossed.
Welcome to the program.
Congratulations again on the nomination and the finalist placement. We’re very excited to have you in the running.
I’m also very excited to meet all my peers, and it looks to be a good gathering of all the security industries across the world. I’m excited to be there this year.
I have to admit I’m very excited. The first CISO of Columbia University. That’s a very big job. You’ve had that since 2006. I know that you worked a long time in security before that.
Can you tell us a little bit about how you got into security?
Sure. Actually I had over twenty five years in the various aspects of information technology which included auditing, risk management, programming. And spending almost fifteen years of those twenty five years in financial industry, the back end of stock exchange and the banks. Then ten years in the education industry.
When I started my career I was more in information technology as a programmer, system analyst, and then followed by data center manager. Then doing network penetration testing. Then I switched to auditing when my kids were young and I couldn’t handle the people anymore, and I needed more work life balance. The challenge of being a woman and having small kids at home.
As an auditor, when I started doing IT audits, I got interested in information security because that’s when I realized that in my earlier IT roles I was responsible only for a part of technology solutions. Maybe as a programmer, maybe as a data center manager, maybe as a network specialist. Information security is not just one part of IT, not just access control, but it requires understanding of security controls in all seven layers of open system connectivity, by which I mean from the hardwiring to the web pages as the data flows through them.
I realized that it requires an in-depth knowledge of all aspects of IT, and it also requires communication and collaboration soft skills across business as well as IT [inaudible 00:03:30]. This comprehensive review of IT really challenged my curiosity. I got interested in information security.
That’s a really cool story. I like how your curiosity really pushed you to learn about security.
You moved around from a couple of different industries. How was it different moving from the financial industry to a university setting?
Totally different because in financial industry you’re more regulated by SSIC, SEC, or across global regulatory environment. Your perimeter or your network area, your security area, is very tightly controlled as well as your external access is concerned.
Whereas when I went to the university it was entirely opposite because the mission of the university is keeping the information available for sharing, for research, for education. At the same time I was required to protect the intellectual property, the Nobel Prize research of the university as well as all of the regulatory requirements which relate to the personally identifiable information, sensitive information, like PHI, Patient Health Information, or credit card information, student information, people information in HR.
It did have the same requirements as the corporate world, but at the same time network or every machine, and Columbia University has about a hundred and fifty thousand network nodes, and every machine is connected externally. Creating security in a perimeter-less environment what needs to be protected was really interesting and a challenge.
What was the security like when you got there? Did you have big job to do?
Yeah. I didn’t go as a security. I went as an IT audit director to Columbia University. As I was presenting, coming from the systems side, I knew how to go inside the systems and really find out exposures.
My CEO at that point, a very visionary person, realized that instead of just addressing security on different levels and just putting the Band–aids, we need a comprehensive approach. He created the CISO position in 2006 and actually created it for me and told me, “Why don’t you come on the management side, the business side, and tell us how to be secured?” That’s how I became the CISO for Columbia, the first CISO.
So you were right away tied into the business with your CISO role?
That’s wonderful. Lots of time people have to fight for that, so it’s great that you got to start there.
Yeah. Then I had to also … They give you, but then as you develop it, as you go more, I also faced the same challenges that how do you communicate security value to the organization, and how do you take that business approach. I think that is where my financial background helped me where we kept on saying, “What is the bottom line? What is my risk?”
It seems like from your nomination, which is very detailed and wonderful, that you have really taken this program quite a long ways. Especially even in the last twelve to eighteen months, you’ve been doing some great work with some great results. Do you want to talk about any of those projects?
Sure. Specifically for the last I would say twelve to eighteen months instead of working in silos, and by silos I mean information security, or the CISOs technically, pick up a project based on the evolving threats outside and what we call the advanced persistent threats or the cyber security risks and they start doing the projects in silos even though those are very valuable for the organization, so there’s mitigation, management does not fully understand those.
What I did is I actually implemented a framework called IT Risk Management framework, ITRM. This risk management framework is not just information security. It talks about security as CIAA, confidentiality, integrity, availability, and accountability, which management understands. It grows into security aspects as well as operation aspects as well the risk management portion of it.
As a part of that what I did first is, again, you cannot secure everything which you have, but you need to find your crown jewels. These crown jewels are not what information security teams is important but what is important to the organization.
The first part was getting together all of the business executives. Each represented by each school. Also getting the IT representatives of the same organizations. I formed two organizations. One is called the IT Leadership Council. This is formed with my CIO. IT Leadership Council actually has the business leads as well as the IT lead in it. The government structure then flows to the IT Security Council which then aligns the initiatives developed by the IT Leadership Council.
The first thing which we did, and I’ll make it brief, is we consolidated Columbia University’s IT policies. Every school, we have seventeen schools, nine global centers, and I’m responsible for all of them except for the Columbia University Medical Center for the patient health information. We have a HIPAA security office for the medical center and the privacy office. Even for them, the policy, we wanted to bring one policy for the entire Columbia University. We formed a group, and we consolidated seventeen schools’ individual policies into one policy library with seventeen policies coming from forty three policies, and we consolidated them into seventeen.
The most important part of that was the data classification policy which decides what’s important to Columbia. This came from business. What is most important to them? Then we developed into four categorization of the data. The most sensitive data is the top mode, and then after that is the confidential, then sensitive, then internal, and then public. Then we actually had other policies aligning based on the data classification. What kind of controls are needed?
This fed right into the risk assessment that we would then concentrate on the information which is more important to the business as well as IT.
That was one part of it. And the second part it came right into what I was earlier mentioning that you cannot predict everything when your network is open. It needs to be open. So we actually implemented a concept called microdomains that in today’s environment I see, even for my financial friends, the other industries, pharmaceutical industries, manufacturing industries, when we started having third parties providing network or some kind of services to the organization, your network is now open to a third party provider through your cloud providers.
For me, at Columbia, it was more so because every machine was facing outside. We implemented something called microdomains. What that means is we segmented the systems, not just physically but logically, to something called microdomains which means that nobody can get to those machines. Typically security doors are, “Okay, allow this one. Allow this one. Deny this one.” The rule grows longer. Here the rule was deny all. Only allow explicitly to those who need to reach to those systems. Even if you are sitting on one network segment, the machines will not communicate to each other, connected physically to each other, until it’s explicitly allowed.
This is close to the data rather than protecting the whole network as a secure network which was a traditional way of looking at security. In my financial world we called it internet, intranet, and then internal network. This internal network is not just internal to me. It’s very close to the system you’re trying to protect.
There are multiple microdomains which allow us to protect the data at the source and at the same time keep the rest of the network open to university admissions.
I hope that was not too complicated.
No. I think I understand. It sounds very effective the way you phrased it.
Offline if you want me to elaborate, I’ll send you something on that. I can. But that is how we did those microdomains.
I think some of our listeners may actually be interested in that, but they’ll let us know.
Something else in your nomination, you achieved executive trustee alignment, and then in parentheses funding, with one of your projects. Is that something you can tell us a little bit more about? We’re always interested in how to get more funding, how to show ROI, and a lot of our listeners do struggle with those two things.
Sure. This went down to my initially accepting the CISO position. It was created by the CEO, and the CEO appointed me as the CISO. Just taking the role and then doing the security of the systems at an application security level.
What I did is I did a joint risk assessment. I would advise every new CISO to have some kind of risk assessment done when you take the role so that you can look at the entire environment of what you are responsible for. Through this risk assessment we actually identified … I remember my first ninety days in the office of the CISO, and what am I going to do.
I had something called a heat map based on what I saw with the risk assessment. I showed the areas, and for Columbia it was a centralized as well as a decentralized environment. What I showed to the trustees, again with few pages because you don’t really have too much time when you talk to trustees, but with few slides showing them, and no details, no Excel spreadsheets, no details, but showing them a heat map. Showing these are the areas where I have lack of controls. This is where I have the highest risks. Be sure first to the central systems because central systems have sensitive data in it. Say, “These are the ones I’m going to tackle first.”
I also had a quadrant showing what are the nine, and I only had nine or ten initiatives at the very high level. To give example, consolidation of the policy was high up on there. It was also that segmenting your sensitive data from your combined network so it can be secured. It also had the security awareness for the people for doing that segregation of duties as the role.
Very very high level, but showing them what I need to do over the ninety days and which one of them, in the four quadrant it was showing, which one is difficult to implement, and what kind of this mitigation am I getting through that? I picked the ones which are one most risky with the sensitive data that I needed to protect. The second one, also, which were security awareness training was not difficult to do but gave more results.
I identified those nine initiatives. I showed the plan as a short term long term. That these are going to be finished in ninety days, but these are going to be my continuous effort for the next two years.
That heat map got trustees interested and say, “Okay, you have to come back and tell us what you did.” Of course that gave me my foot in to go back and tell them in ninety days. Of course it put me on my feet for those ninety days to get it done.
I went back and said, “This is what we finished.” At the same time showing them, “This is what is out there in the decentralized environment.”
That gave me that buy-in and funding. What do you need in order to reach those. No one wants, no executive management, if you tell them in their language, wants to resume the risk to the extent possible. If they could help me to get it, they would like me to get it. They asked me, “What do you need for this?”
Going back back to the CIO and CEO, that came back to my resources and funding for the projects. That’s when we started our initial projects. I still, ten years after that, my functions have evolved. I’ve got now additional functions. Maybe I’ll talk about it later.
That story still continues that we still report on what we did, where are we in terms of maturity of those individual functions, and what else I can achieve going to the next one. Without talking about the funding to the trustees. When you show them the whole picture, everything else falls into their places.
You touched on it a little bit, it’s also in your nomination, that you deal with a hybrid environment. It’s partly centralized, partly decentralized. Those decentralized environments are sometimes the riskier. How have you dealt with that?
You’re absolutely right. The risk is not that central area. I wouldn’t say no risk because there’s never a zero risk, but risk is much less in the central area because it is very controlled for different aspects of risk. It is really the decentralized area, individual schools and departments, where they all use the central systems for central functions like administrative functions, but they do have their individual systems for their localized needs. How do you really protect those? They do not have those resources, they do not have those technical know-how or the security intelligence to really protect.
What we did is initially we formed something called, which I was mentioning earlier, IT Leadership Council. IT Leadership Council has these business heads as well as the IT heads from all the schools and departments, and we meet monthly. I established a governance structure.
Any of the risk initiatives, or the security initiatives, at the beginning of the fiscal year, I would share with the IT Leadership Council and show them these are the emerging threats. This is what we need to do. This is what we are doing for central. If you need to cover the similar risk on your areas, this is where I can help you, or this is where I can guide you. We then show them that at the business level. We seek their alignment that, yes, these are the top initiatives we should be taking. They see ownership into that initiative.
All of them have their own IT heads on their side. That’s my next group, the IT Security Council which reports to IT Leadership Council. That’s where we go into a lot of technical details. A lot of times if we are acquiring some tools I would acquire that centrally. This way they don’t have to worry about the training, they don’t have to worry about the technical resources. They may share the licensing cost with all the schools and departments, but most of the implementation efforts, training efforts, I would assume on the central side. They’re more than willing to partner into that.
Taking licenses individually for schools, we started doing those Columbia-wide, enterprise-wide. They also benefit from the volume discounts. They all buy into that. We implement those collectively across all the school and departments.
One good example of that which is happening right now is multi-factor authentication. We acquired a product called Duo for two-factor authentication. We implemented on the critical systems, and we’re still implementing it across schools and departments. All the projects are aligned with all the seventeen school in implementing that across the university.
This is a kind of [inaudible 00:21:54] structure. Begin with business, align beginning of the year, report then periodically on what are the new threats, what do we need to do Columbia as a whole, enforcing our policy at [inaudible 00:22:06] communication, and then getting them together. Some of the smallest schools don’t have the IT staff, so my team, which is constantly growing, we would then assume the roles of those people, and we would help them.
Then if I go back to the trustees or the CEO’s reporting on these, they would also give me that additional strength. If you want to do this risk management, this ITRM, they would say, “Okay, you are doing it for sensitive systems, how about doing it for third party vendor management?” And I would say, “Yes, I can do it, but currently I only have two people to do it.” And they say, “Okay, we will look for additional two.” And I just got additional two for those for doing more risk management across the centralized schools and departments.
It’s a continuous cycle.
I also note that a lot of these programs have led to you being able to point to reduced insurance costs to the university as kind of an ROI outcome.
That’s something I have not heard before in all my interviews with CISOs. That’s a wonderful answer if you can point to reduced insurance costs, right?
That must have worked very well.
Yeah. Insurance costs, typically we were looking for the cyber security insurance as well as the insurance cost. Typically the insurance agents give you the whole questionnaire, and that questionnaire are the metrics by which they evaluate you. They don’t give you much room in explaining, “Oh, I have for this, and I don’t have this control for the other environment.” Answers are either yes or no and then how you implement.
When I aligned my initiatives, and when I was catching up on the high ROI initiatives building into my security program and coming from the financial industry, I did look at some of those. For example, including this two-factor authentication which I was talking about, or tightening up the security across your sensitive information, classifying your information as sensitive, labeling the data as to what is sensitive to you. Having the policy and measuring the adherence to that. These are standard questions in those questionnaires.
My early on efforts and what I’m trying to do now with the two-factor actually gave on those questionnaires most of the answers as yes. Typically for the university, or the public sector category, you don’t get into certain scoring patterns. I shouldn’t boast, but Columbia is actually in the finance considered as equivalent to any financial industry on the security.
That raised our score high. Yes, of course, that results then as less of the costs for the insurance.
That’s very impressive. I’m sure it has a lot to do with where you came from in your prior jobs.
Getting back a little bit more generally, you’ve been in the industry for a long time. You’ve been a CISO for about eight years it looks like. How have you seen the role change?
I think the role has definitely changed a lot. Initially it was really a security officer, securing your system, securing your networks.
More and more it’s becoming, after a lot of regulatory requirements, compliance requirements, the penalties for the non-compliance of those. Perfect example is the PCI example, or PHI, which his patient health information. A security officer now has to be very much aware of the compliance needs because that’s where the business is very sensitive as well as it’s the risk to the organization. The security officer has to be a kind of a compliance officer understanding the compliance needs.
Along with that, with the patient health information and protection of the personally identifiable information, has got locked into the privacy. The security officer needs to be fully aware of the privacy requirements.
I think the security officer’s role, if you really want to grow in your function and stay closer to the business mission and organization and risk reduction, we do cyber security and ransomware, you need to be eventually playing role of a risk officer. Whether you report to the risk officer or whether you see the whole risk. But you definitely need to have the risk officer knowledge or aptitude.
That’s a really interesting point that it’s all going to the business risk perspective.
Something else that jumped out to me on your nomination is that you strive to mentor and guide young women in this often male dominated profession of yours. I have two questions. How have you dealt with that, being a woman in such a male dominated industry? And what kind of mentoring and outreach are you doing?
First part, how I have dealt with it. Yes, most of the time when I go to some of these specific conferences and things, I do see a few women, but it’s mostly male dominated. I think once you start talking, when you are in the meetings, when you are in the presentations, my earlier on days, until you speak their language and you start talking about the technical parts, there’s a question mark in their eyes. There’s a question mark in what we say the emotional intelligence as to, “Okay, what she knows? What does she really know?” Once you start talking, once you start speaking their language, they do accept you as part of their peers.
I have learned lots from the CISOs and other CRO’s and other professionals across industries. There are few women, and there’s always a question mark as to what is exactly your role, and what are you doing in that.
I think that women have, in general, naturally, the ability to collaborate or communicate better. That’s what I believe in. We have the soft skills. We understand we need to reach out to people. As a natural woman you do want to help people across whether it’s family or it’s outside people. We do have those soft skills.
Technical skills, I have seen a lot of women in programming, systems development, I’ve seen as a web developer. There are a lot of women there in IT, but in specific silos. I think exposing them more, like the way I got into this role, that when you’re doing one part of either the database administration, or the system administrator, the programmer, the developer, the project manager. When you start knowing that this field is actually including all of those other things that you can learn, you can actually be a good security officer. It’s not just technical skills. It’s also soft skills. You can combine the both.
If you can explain this interesting side of security or risk management or actually having some feeling that you did something for the organization, you can achieve that a lot. You can see the full picture here. That’s what I want to communicate to young women when I meet them at the conferences and when I meet them at different trainings. We do talk about those.
What have I done? Not really much for Columbia. Actually my CIO, whom I report to, also wants to do something similar. We are in a process of establishing that women in IT, at all levels, at Columbia. We are actually developing the program. We would be doing much more about it.
My efforts so far have been talking to different women I come across, and talk to them, and then share with them, and be in touch with them. Now I’ll be actually doing something more than that.
That’s wonderful. I really like hearing those kinds of stories. On the podcast we try to interview as many CISOs as we can, and very few of them have been women. Of course I’d like to see that change as many would in the industry. That’s wonderful. Thank you so much for doing that.
And thank you so much for taking the time to talk with us today. This has been a great interview, and I look forward to seeing you next month in Atlanta Georgia.
That’ll do it for this episode of the Global CISO Forum Podcast. The show is produced by Saba Mohammad. Edited by Shaandiin Tome. You can help the show by subscribing on iTunes or Stitcher. If you would leave a review for us that would help other people find the show.
Until next time, this is Amber Pedroncelli.
Thank you for tuning in to another edition of the Global CISO Forum. The podcast for information security executives.