Building Relationships and Trust: The Key to Improving Security
With 20 years of military IT background, UCR’s Chief Information Security Officer (CISO) John Virden knows when to get in on the ground floor. So when UC CIO Tom Andriola and UC CISO David Rusting called for campus volunteers to participate in a collaborative cybersecurity research project, Virden was the first to take the leap – signing up UC Riverside’s Information Technology Solutions (ITS) on the spot.
The research project is being conducted by Ashwin Mathew, a visiting scholar at the UC Berkeley School of Information and a researcher at Packet Clearing House. In a system as large as UC, where cybersecurity is a long-term priority, Mathew is looking to address a variety of questions:
- What is the range of risks we are anticipating?
- What are we doing to address and investigate difficulties?
- Ultimately, how can trust play an integral role in the resolution of information security risks and troubles challenging our campuses and the system as a whole?
Mathew’s angle is intriguing precisely because it is not focused on personally identifiable information, or how to avoid the latest and greatest virus. His objective is to investigate information security cooperation and learning among higher education institutions, particularly the UC system. He wrote,
“To effectively respond to threats and vulnerabilities, information security practitioners must cooperate to securely share sensitive information and coordinate responses across organizational and territorial boundaries. Yet there are insufficient numbers of personnel who have learned the competencies necessary to build information security teams.”
During his three-week stay at UCR, Mathew worked closely with members of the ITS Information Security Office and other departments and colleges (e.g., computer science, the library, and executive offices). He conducted numerous interviews to gain understanding of the organizations’ day-to-day activities and long-range goals.
Department representatives discussed their primary information security concerns, their needs and goals for data sharing and communication, and their perspectives about major roadblocks to enhancing information security. The latter turned out mainly to be the decentralization of information security teams across campus, as well as the difficulty of sharing and collaboration, given the sensitive nature of the content.
Mathew’s enthusiasm and research inspired the information security team to try new ways to grow trust relationships. They found that few tools work better for promoting campus-wide security than having the opportunity to meet face-to-face with representatives from other departments.
Following the footsteps of UCR CIO Danna Gianforte in creating the Campus Information Technology Leaders (CITL) meeting series to improve collaboration among technology divisions across campus, Virden formed the UCR Information Security Team (IST) comprised of cybersecurity professionals across campus to improve dialogue related to information security initiatives. Campus executive leadership also encourages staff attendance at UC-wide cybersecurity events to build opportunities for collaboration with other campuses.
Mathew’s research will take him to all UC campuses, with three others already in the queue after UCR. He expects that his final report will show how risk and uncertainty can be navigated by developing trust relationships among information security professionals, both within a campus and across the system. Mathew wrote,
“Information security is a fragmented whole, composed of strongly bounded, sparsely connected trust groups and organizations that seek to ensure the trustworthiness of participants. We suggest a substantially different set of policy interventions to support cooperation and learning in information security, focusing upon building interpersonal trust relationships, as much as on building institutional arrangements. Our recommendations include suggestions for stronger information sharing communities, for building relationships between educational institutions and information security practitioners, and for supporting diversity.”
The quotes in the article are from “A Fragmented Whole: Cooperation and Learning in the Practice of Information Security” (February 2018), by Ashwin Mathew and Coye Cheshire.