John Virden became chief information security officer (CISO) at the University of California, Riverside, earlier this year. He has been in information security for over 20 years, starting in the US Navy, where he earned his master’s degree. After the Navy, Virden worked as a Department of Defense contractor in information security for many years. Two years prior to joining UCR, he supported the US army in Afghanistan doing offensive cyberspace operations.
On paper, Virden said his job role includes “providing leadership, direction, and guidance in assessing cyber security risk, compliance requirements, policies, operations, and leading the design and development of new IT security architectures to mitigate risk.” But in reality, his job is more about enabling his customers’ success, collaborating across campus, and promoting cybersecurity awareness. He sees his customers as the entire campus community, because everyone needs some aspect of information security to be successful in their roles.
Best advice for cyber protection
The first thing Virden tells people is to back up their data. Hard drives can fail, hackers can attack, or you can accidentally delete something very important. He also strongly recommends creating distinct passwords and usernames for each account you have, since he has seen a lot of compromise of user credentials since he joined UC.
Changes in the field
The field is shifting, Virden said, from implementing layered protections, such as firewalls, intrusion detection, encryption, antivirus, etc., to a focus on incident response, breach management and forensic services. He said, “It seems that no matter how many protections we put in place, the bad guys learn how to overrule them or get past those protections.” There is more focus now on being able to quickly respond if there’s an incident and getting things back to normal as soon as possible.
Virden said, “The future must be focused on risk management.” Organizations need to constantly assess threats, identify the vulnerabilities and weak spots, assess potential impact, and put appropriate mitigations in place based on the actual level of risk.
John was a dog agility trainer and competitor for 12 years. In fact, in 2013 he had the number-two-ranked dog by breed in the nation.